system: OPERATIONAL
← back to all hacks
AGENTS CRITICAL NEW

When the agent runs its own code: PraisonAI's CodeAgent turns prompt injection into RCE

Disclosed July 11, 2026, a maximum-severity flaw in PraisonAI runs LLM-generated Python with no AST checks, import limits or sandbox — so a crafted prompt becomes arbitrary code on the host.

2026-07-14 // 6 min affects: praisonai, codeagent, llm-agents

What is this?

On July 11, 2026, a maximum-severity remote code execution flaw was published against PraisonAI, a popular open-source multi-agent orchestration framework. The vulnerability sits in the framework’s CodeAgent component, which is designed to let an LLM write Python and then run it. In every release before 1.6.78, that code ran with no guardrails at all — no syntax-tree inspection, no restrictions on which modules could be imported, and no sandbox to contain the process. Rated 10.0 (critical) on CVSS 4.0 and classed as code injection (CWE-94), it is the kind of finding that turns an ordinary prompt into a shell on the host.

It is also a textbook example of a class we keep returning to: the moment an agent framework is given the ability to execute what the model generates, prompt injection stops being a content problem and becomes a code-execution problem. This is a defensive read of a publicly disclosed, already-patched issue — not an exploitation guide.

How it works

The design of CodeAgent is straightforward, and that is precisely the trouble. A task is handed to the agent, the LLM produces a snippet of Python it believes will solve the task, and the framework executes that snippet to obtain a result. The unsafe part is the execution step, in the _execute_python() routine.

Task / prompt  ──▶  LLM generates Python  ──▶  _execute_python()  ──▶  runs on host
                     (attacker can steer               │
                      this content)                    └── no AST check
                                                        └── no import allow-list
                                                        └── no sandbox / isolation

Because the generated string is passed to a live interpreter untouched, whatever the model can be persuaded to write, the host will run — with the privileges of the PraisonAI process. And an attacker does not need access to the interpreter directly. The steering happens one layer up, at the prompt: any untrusted text the agent ingests (a retrieved document, a tool result, a web page, a user message) can nudge the model toward emitting Python that reads environment variables, opens a network connection, or touches the filesystem. The disclosure describes the concrete impact as exfiltration of all environment secrets and arbitrary command execution on the host.

The severity vector tells the rest of the story: network-reachable, low complexity, no privileges and no user interaction required (AV:N/AC:L/PR:N/UI:N), with high impact across confidentiality, integrity and availability. No public proof-of-concept accompanied the advisory, and the issue was not reported as exploited in the wild at publication (EPSS around 0.5%). The reservation date was July 9, 2026; publication followed on July 11, 2026.

Why it matters

The instinct is to file this under “one more RCE in one more framework.” That undersells it. CodeAgent-style components — an LLM that writes code, and a runtime that executes it — are now a standard building block across the agent ecosystem, marketed as the feature that lets agents “do real work.” Every such component inherits the same structural exposure: the executor trusts the model, and the model trusts its input. Break the input, and you break the host.

Two properties make this worse than a classic injection bug. First, the attack surface is semantic, not syntactic. There is no single malicious string to blocklist; the attacker only has to get the model to produce dangerous-but-valid Python, and there are effectively unlimited ways to phrase that request. Second, agents are increasingly wired to untrusted content by design — retrieval corpora, tool outputs, scraped pages — so the “prompt” that reaches the model is rarely typed by a trusted human. That is the lethal-trifecta condition (private data, untrusted content, code/network egress) collapsed into a single process.

For anyone running PraisonAI, the practical stakes are immediate: a self-hosted instance exposed to the network, or fed documents from outside the trust boundary, should be treated as remotely code-executable until upgraded. For everyone else, it is a prompt to audit whether any agent in your stack executes model-authored code, and under what confinement.

Defenses

The vendor fix is the first move; the rest is architecture that holds even when the next CodeAgent-shaped feature ships.

  1. Upgrade to PraisonAI 1.6.78 or later. This is the documented remediation for the flaw. Pin the version in your dependency manifest and rebuild any container images that bundle an older release.
  2. Never run model-generated code on the host. If an agent must execute code, execute it in a disposable, network-denied sandbox — a locked-down container, gVisor/microVM, or a dedicated code-interpreter service — with a read-only root, no mounted secrets, and an egress default-deny. The blast radius of code injection is defined by where the code runs, not by how it was generated.
  3. Do not put secrets in the execution environment. Environment variables are the first thing exfiltrated in this class of bug. Inject credentials at the last moment through a broker the sandbox cannot reach, so a compromised interpreter has nothing to steal.
  4. Constrain what the interpreter can even express. Where you control the executor, apply an AST allow-list and an import allow-list before running anything, and reject code that reaches for os, subprocess, socket, dynamic import, or reflection. This is a mitigation, not a wall — treat it as defence-in-depth behind the sandbox, not instead of it.
  5. Treat every non-human input as hostile. Retrieved documents, tool responses and scraped pages are attacker-controllable. Tag their provenance, and forbid content that arrives through those channels from influencing a code-execution step. Log the exact code the agent runs and alert on network or filesystem calls.
  6. Inventory your agents. Ask, for each agent framework you deploy: does it execute model-authored code, shell commands, or SQL? If yes, where does that execution happen, what can it reach, and what is its identity? PraisonAI is not unique here — this is the recurring failure mode of prompt-injection-to-RCE across agent frameworks.

Status

ItemReferenceDateNotes
CVE reservedVulnCheck (CNA)2026-07-09Assigned to the PraisonAI CodeAgent code-execution flaw
Advisory publishedNVD / GitHub Security Advisory GHSA-2xv2-w8cq-5gxw2026-07-11CVSS 4.0 base score 10.0, CWE-94
Affected versionsGitHub advisoryPraisonAI (praisonaiagents) before 1.6.78
Fixed versionGitHub advisory2026-071.6.78 and later
Exploited in the wildOffSeq / NVD2026-07-11Not observed at publication; EPSS ≈ 0.5%
Reference CVENVD2026-07-11CVE-2026-61447

The lesson is not about one framework. Any time you let a language model write code and then run it, you have moved prompt injection from “the model said something bad” to “the model did something bad.” The durable defense is to assume the injection will succeed and make sure the code it produces runs somewhere it cannot hurt you.

Sources