Ilya Kabanov

47 advisories, one agent framework: the vibe-check adoption problem

TLDR: PraisonAI is a "production-ready" multi-agent framework with 6,881 GitHub stars. Thirteen researchers filed 47 security advisories in weeks, 16 critical: sandbox escape, SQL injection, command injection, and a persistent RCE where a prompt-injected agent plants malware in its own lifecycle hooks. Every audited open-source agent framework has failed the same way. Developers pick by star count, not security review. Instrument the choke points (repos, package proxies, CI/CD, LLM gateway, secrets fetches) and ask developers directly.

OpenClaw is the agent framework everyone has heard about. HiddenLayer published the C2 via prompt injection research. Jamieson O'Reilly demonstrated the poisoned skill attack. There are two MITRE ATLAS case studies. 27 CVEs landed last week alone. The security community is watching OpenClaw.

Nobody is watching PraisonAI.

PraisonAI is a multi-agent framework that hit #1 on GitHub Trending and accumulated 6,881 stars. It claims to be "production-ready" and "safe by default." Once researchers started looking, thirteen of them filed 47 security advisories in a few weeks, 16 of them critical, with three reporters (offset, YeranG30, l3tchupkt) accounting for two thirds of the findings.

The bugs include sandbox escape via Python metaclass tricks, SQL injection via f-strings, OS command injection via unsanitized CLI arguments, and a lifecycle hook system where a prompt-injected agent can plant persistent malware that executes on every subsequent tool call.

The question for CISOs is not whether PraisonAI specifically is secure. The question is: how did developers building agents in your environment adopt a framework with f-string SQL queries and shell=True subprocess calls?

1. What we actually found.

PraisonAI is effectively a one-person project. Its sole maintainer authored 76% of the 3,300 commits. AI bots (GitHub Actions, claude[bot], Copilot) authored another 18%. The codebase wraps CrewAI and AutoGen into a CLI and UI layer with file tools, MCP integration, and a code execution sandbox.

The security infrastructure is absent. No SECURITY.md. Dependabot disabled. No static analysis in CI/CD. Test failures do not block the pipeline. 24 releases shipped in 15 days, with seven on a single day.

The CVEs found can be used for teaching the whole OWASP top 10:

  • Sandbox escape (CVSS 10.0, CVE-2026-34938): PraisonAI's execute_code() function runs agent-generated Python in a three-layer sandbox. The sandbox's _safe_getattr wrapper checks name.startswith('_') to block access to dunder methods. The problem: it accepts any str subclass. An attacker creates a custom class that overrides startswith() to always return False, walks up the exception frame to subprocess.Popen, and escapes to the host OS. A four-line Python class bypasses the sandbox's core security check.
  • SQL injection via f-strings (CVSS 9.8, CVE-2026-34934): The get_all_user_threads() function in ui/sql_alchemy.py builds SQL queries by embedding thread IDs directly into query strings: "('" + "','".join([t["thread_id"]...]) + "')". No parameterization, no escaping. This is the exact pattern that every "Introduction to SQL Injection" tutorial warns about. It was in production code in a framework claiming to be production-ready.
  • CLI command injection (CVSS 9.8, CVE-2026-34935): cli/features/mcp.py passes the --mcp command-line argument directly to shlex.split() and then to anyio.open_process(). No validation, no allowlist, no sanitization at any stage. Direct pipeline from user input to OS command execution.
  • Persistent RCE via lifecycle hooks (CVSS 9.3, CVE-2026-40111): PraisonAI's memory hooks executor reads commands from .praisonai/hooks.json and passes them to subprocess.run(command, shell=True). No sanitization. Hooks fire automatically on lifecycle events like BEFORE_TOOL and AFTER_TOOL. An agent that gains file-write access through prompt injection can overwrite hooks.json and have its payload execute silently on every subsequent tool invocation. This is not a one-shot exploit. It is a persistent implant, planted by the agent itself, that survives across sessions.
  • Path traversal (CVSS 9.2, CVE-2026-35615): The _validate_path() function calls os.path.normpath() first to collapse .. sequences, then checks for '..' in the result. Since normpath() already removes the .., the check always passes. One-line proof of concept: FileTools.read_file("/tmp/../etc/passwd") returns the contents of /etc/passwd. The path validation was security theater, a check that could never fire.
  • Zero auth on gateway (CVSS 9.1, CVE-2026-34952): The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any client on the network can connect, enumerate every registered agent, and send arbitrary messages to agents and their tool sets.
  • Across all 47 advisories: 4 path traversal variants (FileTools, Action Orchestrator, recipe registry pull, recipe registry publish), 3 SSRF vectors, 2 sandbox escapes, 2 command injection paths, YAML deserialization RCE, template injection, and unauthenticated event streaming that exposes all agent activity. The patches were minimal, targeting the exact reported lines rather than systematic hardening. The same bug classes repeat across the codebase.

2. PraisonAI is not an outlier.

In our study of 384 CVEs across 17 agent platforms, every open-source framework that has been audited has failed: LangChain (51 CVEs, 23 critical), n8n (53 CVEs, CISA KEV listed), CrewAI (4 CVEs on first contact, 75% critical rate). Only four platforms had zero CVEs, and all four came from Anthropic, Google, OpenAI, or Microsoft. The frameworks that haven't been audited yet are not safer. They just haven't been looked at.

3. The adoption pipeline has no security gate.

Agent frameworks are not going through procurement. Developers are running pip install on their laptops, in Jupyter notebooks, in CI/CD pipelines. The evaluation process is: search GitHub, sort by stars, pick the one with the best README, install, ship.

The framework then runs with the developer's credentials, has filesystem access, makes network calls, and executes LLM-generated code. It sits at the intersection of every high-value attack surface: identity, data, compute, and network.

And someone may have bought the popularity signals that informed the selection for the cost of a conference registration.

4. The infrastructure underneath is broken too.

Agent frameworks depend on API gateways (LiteLLM), model registries (MLflow), tool servers (Azure MCP Server), and cloud AI platforms (Azure AI Foundry, Databricks). Between February and April 2026, all of them had critical auth failures: supply chain compromise, hard-coded default credentials, missing authentication on critical endpoints, and two CVSS 10.0 privilege escalations. The framework is one layer. The infrastructure it connects to is four more, and all five fail at auth.

My take:

  1. The agent framework ecosystem is in its browser extension era. Developing code is cheap. Enthusiasts rush to contribute their own "PraisonAI" to the world. GitHub rewards stars and trending badges, not security audits. The result is a marketplace that optimizes for adoption speed over code safety.
  2. Democratization of software engineering empowered passionate people to build things they had dreamed about, but many have never learned the OWASP top 10 the hard way. At best, they ask Claude to "check that my code is secure and fix it." That is how you get f-string SQL queries and shell=True subprocess calls in a framework with 7,000 stars. The security review never happened because nobody in the development process knew it should.
  3. These "PraisonAIs" already sit in enterprise environments, carrying a full set of security issues the web application ecosystem spent a decade learning to prevent. Some of them go further. The persistent hook implant (CVE-2026-40111) does not just make an agent vulnerable to exploitation. It makes the agent weaponizable. A prompt-injected agent rewrites its own lifecycle configuration so that every future tool call executes the attacker's payload. This is the agent-native equivalent of a rootkit. We covered this attack class theoretically in our analysis of the Promptware Kill Chain, but PraisonAI is the first real-world framework to make it trivial.
  4. Instrument the choke points (source repos, package proxies, CI/CD, the LLM API gateway, and secrets manager key fetches) and ask developers directly, because a monthly Slack survey returns more accurate answers than any endpoint scan.

Sources:

  1. PraisonAI Security Advisories (GitHub)
  2. CVE-2026-34938: Sandbox Escape, CVSS 10.0 (NVD)
  3. CVE-2026-34934: SQL Injection, CVSS 9.8 (NVD)
  4. CVE-2026-40111: Persistent RCE via Lifecycle Hooks, CVSS 9.3 (NVD)
  5. CVE-2026-35615: Path Traversal in FileTools, CVSS 9.2 (NVD)
  6. CVE-2026-34952: Unauthenticated Gateway Access, CVSS 9.1 (NVD)
  7. CVE-2026-39890: YAML Deserialization RCE (GitLab Advisory)
  8. GHSA-jfxc-v5g9-38xr: Path Traversal in Action Orchestrator (GitHub Advisory)