Skip to content
Rush Commerce
Software & Dev3 min read

PraisonAI's CVSS-10 RCE: when your agent runs its own code

CVE-2026-61447 gives PraisonAI a perfect 10.0 — the framework runs LLM-generated Python unsandboxed, so one prompt injection becomes remote code execution.

If you stood up an open-source AI agent this year that can "write and run code to figure things out," read this before your next deploy. On July 11, a new CVE landed against PraisonAI, a popular open-source agent framework, and it scored a perfect 10.0 — the maximum. The short version: the framework takes whatever Python the model writes and just runs it. No sandbox. Which means a well-crafted prompt is a shell on your server.

What actually happened

CVE-2026-61447 affects every PraisonAI version before 1.6.78. Per the official record, the framework "contains a remote code execution vulnerability in CodeAgent._execute_python() that executes LLM-generated Python code without AST validation, import restrictions, or sandbox enforcement." Translation: the agent asks the model for code, the model returns code, and the function runs it directly on the host.

The attack path is prompt injection. Feed the agent a poisoned document, a malicious support ticket, a booby-trapped web page it scrapes — anything that reaches the model's context — and you can steer it into emitting Python that reads your .env, exfiltrates API keys, or opens a reverse shell. The CVSS vector is as bad as it gets: network-reachable, no authentication, no user interaction, full system compromise. The fix exists — upgrade to 1.6.78 or later — and you should do it today. (One aggregator claimed no patch was available; the CVE record says otherwise. Trust the record.)

This isn't one bad library. Microsoft's security team spent the spring documenting the same class of bug across agent frameworks, including its own Semantic Kernel. Their one-line lesson is the one to tape to your monitor: "Your LLM is not a security boundary. The tools you expose define your attacker's affected scope."

Why it matters for your business

The whole appeal of an agent is that it acts — runs code, hits APIs, touches files. That's also the whole risk. Every capability you hand the model is a capability an attacker inherits the moment they get text into its context. And text gets in everywhere: emails, uploads, product reviews, the open web your agent browses.

For a small team, the practical takeaways are boring and load-bearing:

  • Never let model-generated code hit a raw exec() or a shell. If the agent must run code, it runs in a sandbox — a locked-down container, no host secrets mounted, egress filtered — full stop.
  • Least privilege the tools, not the prompt. You can't prompt your way to safety. Scope the API keys, the filesystem access, the network. Assume the model will be tricked.
  • Track your agent dependencies like the attack surface they are. A framework that had a 10.0 this week is exactly the kind of thing that needs a patch alert, not a "we'll get to it."

Key takeaways

  • CVE-2026-61447 (CVSS 10.0, published July 11) hits PraisonAI before 1.6.78 — it runs LLM-generated Python with no AST checks, no import limits, no sandbox
  • Prompt injection is the attack vector: poisoned input steers the model into code that steals secrets or opens a shell — no auth, no clicks required
  • The fix is to upgrade to 1.6.78+; an aggregator's "no patch" claim was wrong, per the CVE record
  • It's a whole class of bug — Microsoft flagged the same pattern across frameworks. Your LLM is not a security boundary; the tools you expose are the blast radius

Running agents that touch code, keys, or customer data? We build agent systems where the model is sandboxed, the tools are least-privilege, and a poisoned prompt doesn't become a shell. See how we build agents you can trust or tell us what your agent can currently reach.

Sources: CVE-2026-61447 record, Microsoft Security: When prompts become shells.

  • #ai-agents
  • #security
  • #cve
  • #prompt-injection
  • #rce
TR

Tommy Rush — Founder, Rush Commerce

Operator turned builder. 15+ years running operations — now shipping the systems businesses run on. More

Get The Rush Report weekly — one email, zero fluff.