Security: MervinPraison/PraisonAI
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
SecurityPolicy command/path/import restrictions are completely unenforced by the default SubprocessSandbox backendGHSA-5r6c-gj4g-r697 published
Jun 25, 2026 by MervinPraisonCritical -
Prompt-injection defense blocks only when 3+ detector families fire simultaneously; realistic single-vector injections pass through unblockedGHSA-4r3p-w3mc-5v34 published
Jun 25, 2026 by MervinPraisonModerate -
Human-in-the-loop tool approval is cached by tool name and silently reused for all subsequent calls with arbitrary argumentsGHSA-29r9-67vg-qj56 published
Jun 25, 2026 by MervinPraisonModerate -
Project custom command templates can read outside-workspace files into model promptsGHSA-xpx6-x8c2-mw5w published
Jun 25, 2026 by MervinPraisonModerate -
Project config can auto-save agent output outside the project rootGHSA-qjw5-xwrp-xwpq published
Jun 25, 2026 by MervinPraisonModerate -
PGVector and Cassandra knowledge stores interpolate vector dimensions into DDLGHSA-wf65-4jjx-q444 published
Jun 25, 2026 by MervinPraisonModerate -
Jobs API is unauthenticated by default and allows attacker-controlled webhook SSRFGHSA-4w49-gwv8-fpjg published
Jun 25, 2026 by MervinPraisonHigh -
AgentOS defaults to network-exposed no-auth mode, allowing unauthenticated agent invocation and instruction disclosureGHSA-6wjp-v33h-5cvq published
Jun 25, 2026 by MervinPraisonHigh -
MCP HTTP-stream transport is unauthenticated by default, exposing tool enumeration and an unvalidated tool-call surfaceGHSA-hc5v-gxvj-58wh published
Jun 25, 2026 by MervinPraisonHigh -
AgentMail webhook lacks signature verification, allowing unauthenticated message injection and sender spoofingGHSA-qj9c-59p6-8cgx published
Jun 25, 2026 by MervinPraisonHigh