Vulnerability-Lookup

CVE-2026-39890 (GCVE-0-2026-39890)

Vulnerability from cvelistv5 – Published: 2026-04-08 20:45 – Updated: 2026-04-09 16:16

Title

PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading

Summary

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.

Severity ?

9.8 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-502 - Deserialization of Untrusted Data

Assigner

GitHub_M

References

URL

Tags

https://github.com/MervinPraison/PraisonAI/securi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	MervinPraison	PraisonAI	Affected: < 4.5.115

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-39890",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-04-09T14:52:17.800295Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-04-09T16:16:51.923Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "PraisonAI",
          "vendor": "MervinPraison",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.5.115"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-502",
              "description": "CWE-502: Deserialization of Untrusted Data",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-04-08T20:45:30.928Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
        }
      ],
      "source": {
        "advisory": "GHSA-32vr-5gcf-3pw2",
        "discovery": "UNKNOWN"
      },
      "title": "PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-39890",
    "datePublished": "2026-04-08T20:45:30.928Z",
    "dateReserved": "2026-04-07T20:32:03.011Z",
    "dateUpdated": "2026-04-09T16:16:51.923Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-39890\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-04-08T21:17:01.267\",\"lastModified\":\"2026-04-09T17:16:29.663\",\"vulnStatus\":\"Undergoing Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"references\":[{\"url\":\"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\"}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"PraisonAI Affected by Remote Code Execution via YAML Deserialization in Agent Definition Loading\", \"source\": {\"advisory\": \"GHSA-32vr-5gcf-3pw2\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"MervinPraison\", \"product\": \"PraisonAI\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 4.5.115\"}]}], \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2\", \"name\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-502\", \"description\": \"CWE-502: Deserialization of Untrusted Data\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-04-08T20:45:30.928Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-39890\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-04-09T14:52:17.800295Z\"}}}], \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-04-09T14:52:48.391Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-39890\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-04-08T20:45:30.928Z\", \"dateReserved\": \"2026-04-07T20:32:03.011Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-04-08T20:45:30.928Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-39890

Vulnerability from fkie_nvd - Published: 2026-04-08 21:17 - Updated: 2026-04-09 17:16

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server. This vulnerability is fixed in 4.5.115."
    }
  ],
  "id": "CVE-2026-39890",
  "lastModified": "2026-04-09T17:16:29.663",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-04-08T21:17:01.267",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Undergoing Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-502"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-32VR-5GCF-3PW2

Vulnerability from github – Published: 2026-04-08 19:17 – Updated: 2026-04-09 14:29

Summary

PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading

Details

Summary

The AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.

Details

The vulnerability exists in the YAML deserialization process. The js-yaml library's load function is used without specifying a safe schema (e.g., JSON_SCHEMA or DEFAULT_SAFE_SCHEMA). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a !!js/function tag is parsed, the function is evaluated, leading to arbitrary code execution.

The vulnerable code is located in src/agents/agent.service.ts at line 55.

PoC

An attacker can create a malicious agent YAML file with the following content:

!!js/function >
  function(){ require('child_process').execSync('touch /tmp/pwned') }

Then, upload this file as an agent definition via the API endpoint that uses AgentService.loadAgentFromFile. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command touch /tmp/pwned, demonstrating arbitrary code execution.

Impact

This vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration.

Recommended Fix

Replace the unsafe load method with a safe alternative. Specifically, use the load method with a safe schema, such as JSON_SCHEMA or DEFAULT_SAFE_SCHEMA. For example:

import yaml from 'js-yaml';
import { JSON_SCHEMA } from 'js-yaml';

// In the loadAgentFromFile method
const agent = yaml.load(fileContent, { schema: JSON_SCHEMA });

Alternatively, if the application requires only a subset of YAML features, consider using the safeLoad method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code.

Additionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.114"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.115"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39890"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-502"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:17:11Z",
    "nvd_published_at": "2026-04-08T21:17:01Z",
    "severity": "CRITICAL"
  },
  "details": "## Summary\nThe `AgentService.loadAgentFromFile` method uses the `js-yaml` library to parse YAML files without disabling dangerous tags (such as `!!js/function` and `!!js/undefined`). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.\n\n## Details\nThe vulnerability exists in the YAML deserialization process. The `js-yaml` library\u0027s `load` function is used without specifying a safe schema (e.g., `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`). This enables the parsing of JavaScript functions and other dangerous types. When a malicious YAML file containing a `!!js/function` tag is parsed, the function is evaluated, leading to arbitrary code execution.\n\nThe vulnerable code is located in `src/agents/agent.service.ts` at line 55.\n\n## PoC\nAn attacker can create a malicious agent YAML file with the following content:\n```yaml\n!!js/function \u003e\n  function(){ require(\u0027child_process\u0027).execSync(\u0027touch /tmp/pwned\u0027) }\n```\nThen, upload this file as an agent definition via the API endpoint that uses `AgentService.loadAgentFromFile`. When the agent is loaded (either during startup or via an API call that triggers loading), the payload will execute the command `touch /tmp/pwned`, demonstrating arbitrary code execution.\n\n## Impact\nThis vulnerability allows an unauthenticated attacker (if the API endpoint is unprotected) or an authenticated attacker with the ability to upload agent definitions to execute arbitrary code on the server. This can lead to complete compromise of the server, data theft, or further network penetration.\n\n## Recommended Fix\nReplace the unsafe `load` method with a safe alternative. Specifically, use the `load` method with a safe schema, such as `JSON_SCHEMA` or `DEFAULT_SAFE_SCHEMA`. For example:\n\n```typescript\nimport yaml from \u0027js-yaml\u0027;\nimport { JSON_SCHEMA } from \u0027js-yaml\u0027;\n\n// In the loadAgentFromFile method\nconst agent = yaml.load(fileContent, { schema: JSON_SCHEMA });\n```\n\nAlternatively, if the application requires only a subset of YAML features, consider using the `safeLoad` method from an older version (though note it was deprecated). The key is to avoid loading tags that can execute code.\n\nAdditionally, validate and sanitize all user input, especially file uploads. Ensure that agent definition files are only uploaded by trusted users and consider storing them in a secure location with proper access controls.",
  "id": "GHSA-32vr-5gcf-3pw2",
  "modified": "2026-04-09T14:29:45Z",
  "published": "2026-04-08T19:17:11Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39890"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI Vulnerable to Remote Code Execution via YAML Deserialization in Agent Definition Loading"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-39890 (GCVE-0-2026-39890)

FKIE_CVE-2026-39890

GHSA-32VR-5GCF-3PW2

Summary

Details

PoC

Impact

Recommended Fix

Tags

Sightings

Nomenclature