PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9.
The parse_mcp_command() function responsible for handling MCP (Multi-agent Command Protocol) commands does not implement an allowlist of commands or validation of passed arguments. An attacker can therefore pass any executable file — including bash, python or /bin/sh — along with flags enabling inline code execution. Such a prepared command is then directly passed to subprocess execution and executed in the operating system context.
An unauthenticated remote attacker can gain full control over the system — execute arbitrary code, read or modify data, and cause service unavailability (RCE with full C/I/A triad).
Update PraisonAI to version 4.6.9 or later, which includes a patch removing the vulnerability (commit 47bff65413beaa3c21bf633c1fae4e684348368c). Details available in the vendor's references (GitHub Security Advisory GHSA-9qhq-v63v-fv3j).
PraisonAI (Praison Praisonai) in versions earlier than 4.6.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPraison Praisonai
APPPraison< 4.6.9
Related vulnerabilities
Path Traversal i RCE w PraisonAI MCP Server (serwer narzędzi plikowych)
PraisonAI — RCE i command injection przez niezaufowane pliki YAML
PraisonAI – wyciek tokenów GitHub przez atak ArtiPACKED w CI/CD
PraisonAI – nieuwierzytelnione przejęcie sesji przeglądarki przez WebSocket
Path traversal w PraisonAI — nadpisywanie plików przez złośliwy pakiet .praison