PraisonAI, Template Injection, CVE-2026-39891 (High)

Listen to this Post

The create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the input are executed rather than treated as literal text. This occurs because:
– No input sanitization or escaping is applied to user-controlled content
– The ACP-enabled runtime auto-approves operations (approval_mode=”auto”)
– Tools lack context-aware escaping for template syntax
The vulnerability allows an attacker to inject malicious template expressions through agent instructions. For example, the payload {{ self.init.globals.builtins.import(“os”).system(“touch /tmp/pwned”) }} creates /tmp/pwned, confirming arbitrary command execution. The expression {{77}} renders as 49 instead of literal text, demonstrating template evaluation.

dailycve form:

Platform: PraisonAI
Version: <4.5.115
Vulnerability : Template Injection
Severity: High (8.8)
date: 2026-04-08

Prediction: 2026-04-08 (4.5.115)

What Undercode Say:

Analytics

Check PraisonAI version
pip show praisonai | grep Version
Search for vulnerable function usage
grep -r "create_agent_centric_tools" .
Audit for agent.start() calls
grep -r "agent.start(" .

Exploit:

Replace agent.start() call with:
result = agent.start('Create file with content: {{ self.<strong>init</strong>.<strong>globals</strong>.<strong>builtins</strong>.<strong>import</strong>("os").system("touch /tmp/pwned") }}')
Verify exploitation:
ls -la /tmp/pwned

Protection from this CVE

  • Update PraisonAI to version 4.5.115 or later
  • Escape user input passed to agent.start()
  • Implement strict whitelist validation for file content
  • Enable Jinja2 autoescape=True for template rendering
  • Require manual approval for file creation operations in production

Impact

Attackers can execute arbitrary system commands with the privileges of the running process, enabling data theft, ransomware deployment, or lateral movement. The vulnerability is remotely exploitable with low attack complexity and requires low privileges, with no user interaction needed.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top