CVE-2026-39891
Published: 08 April 2026
Summary
CVE-2026-39891 is a high-severity Code Injection (CWE-94) vulnerability in Praison Praisonai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 requires validation of user inputs from agent.start() to prevent template expressions from being executed as code during tool processing.
SI-2 mandates timely remediation of flaws like the unescaped input processing in create_agent_centric_tools(), as fixed in version 4.5.115.
SI-9 restricts malicious inputs containing template expressions to the tools like acp_create_file, preventing code injection exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The code injection vulnerability (CWE-94) in the public-facing PraisonAI application directly enables exploitation of the app for initial access (T1190) and arbitrary code execution through Python template rendering (T1059.006).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions in the…
more
input are executed rather than treated as literal text. This vulnerability is fixed in 4.5.115.
Deeper analysisAI
CVE-2026-39891 affects PraisonAI, a multi-agent teams system, in versions prior to 4.5.115. The vulnerability resides in the create_agent_centric_tools() function, which returns tools such as acp_create_file that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping, template expressions within the input are executed as code rather than treated as literal text. This constitutes a CWE-94 (code injection) issue with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), published on 2026-04-08.
An attacker requires low privileges (PR:L) to exploit this over the network (AV:N) with low complexity and no user interaction. By supplying malicious input via agent.start() that includes template expressions, the attacker can trigger unintended code execution during tool processing, achieving high impacts on confidentiality, integrity, and availability.
The vulnerability is addressed in PraisonAI version 4.5.115. Additional details on mitigation and patches are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg.
Details
- CWE(s)