GHSA-HWG5-X759-7WJG

Vulnerability from github – Published: 2026-04-08 19:21 – Updated: 2026-04-09 14:29
VLAI?
Summary
PraisonAI has Template Injection in Agent Tool Definitions
Details

Summary

Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions.

Details

The create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping (as shown in agent_centric_example.py:85-86), template expressions in the input are executed rather than treated as literal text. This occurs because: 1. No input sanitization or escaping is applied to user-controlled content 2. The ACP-enabled runtime auto-approves operations (approval_mode="auto") 3. Tools lack context-aware escaping for template syntax

PoC

# Replace the agent.start() call at line 85 with:
result = agent.start('Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned") }}')

Successful exploitation creates /tmp/pwned confirming arbitrary command execution. The expression {{7*7}} renders as 49 instead of literal text.

Impact

Attackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement.

Recommended Fix

  1. Input Sanitization: Implement strict whitelist validation for file content
  2. Contextual Escaping: Auto-escape template syntax characters (e.g., {{ }}) in user input using Jinja2 autoescape=True
  3. Sandboxing: Restrict template execution environments using secure eval modes
  4. Approval Hardening: Require manual approval for file creation operations in production
Severity ?
8.8 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.5.114"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.115"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-39891"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-08T19:21:22Z",
    "nvd_published_at": "2026-04-08T21:17:01Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nDirect insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions.\n## Details\nThe `create_agent_centric_tools()` function returns tools (like `acp_create_file`) that process file content using template rendering. When user input from `agent.start()` is passed directly into these tools without escaping (as shown in `agent_centric_example.py:85-86`), template expressions in the input are executed rather than treated as literal text. This occurs because:\n1. No input sanitization or escaping is applied to user-controlled content\n2. The ACP-enabled runtime auto-approves operations (`approval_mode=\"auto\"`)\n3. Tools lack context-aware escaping for template syntax\n## PoC\n```python\n# Replace the agent.start() call at line 85 with:\nresult = agent.start(\u0027Create file with content: {{ self.__init__.__globals__.__builtins__.__import__(\"os\").system(\"touch /tmp/pwned\") }}\u0027)\n```\nSuccessful exploitation creates `/tmp/pwned` confirming arbitrary command execution. The expression `{{7*7}}` renders as `49` instead of literal text.\n## Impact\nAttackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement.\n## Recommended Fix\n1. **Input Sanitization**: Implement strict whitelist validation for file content\n2. **Contextual Escaping**: Auto-escape template syntax characters (e.g., `{{ }}`) in user input using Jinja2 `autoescape=True`\n3. **Sandboxing**: Restrict template execution environments using secure eval modes\n4. **Approval Hardening**: Require manual approval for file creation operations in production",
  "id": "GHSA-hwg5-x759-7wjg",
  "modified": "2026-04-09T14:29:49Z",
  "published": "2026-04-08T19:21:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39891"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI has Template Injection in Agent Tool Definitions"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.