CVE-2026-39890 Overview
CVE-2026-39890 is an insecure deserialization vulnerability in PraisonAI, a multi-agent teams system. Prior to version 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags (such as !!js/function and !!js/undefined). This allows an attacker to craft a malicious YAML file that, when parsed, executes arbitrary JavaScript code. An attacker can exploit this vulnerability by uploading a malicious agent definition file via the API endpoint, leading to remote code execution (RCE) on the server.
Critical Impact
This vulnerability enables unauthenticated remote code execution through malicious YAML file uploads, allowing attackers to completely compromise server infrastructure running PraisonAI.
Affected Products
- PraisonAI versions prior to 4.5.115
Discovery Timeline
- April 8, 2026 - CVE CVE-2026-39890 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-39890
Vulnerability Analysis
This vulnerability falls under CWE-502 (Deserialization of Untrusted Data). The core issue stems from unsafe YAML parsing configuration in the AgentService.loadAgentFromFile method. The js-yaml library, when used with default settings, supports JavaScript-specific YAML tags that enable code execution during the parsing process.
When PraisonAI processes agent definition files uploaded through its API, it deserializes YAML content without restricting dangerous tags. This creates a direct pathway for attackers to inject executable JavaScript code into what should be a data-only configuration file.
The vulnerability is particularly severe because it requires no authentication and can be triggered remotely through the application's normal file upload functionality. An attacker simply needs to craft a YAML file containing malicious JavaScript payloads embedded within special YAML tags, then upload it through the agent definition API endpoint.
Root Cause
The root cause is the failure to configure js-yaml with safe parsing options. The js-yaml library includes support for JavaScript-specific YAML tags like !!js/function, !!js/undefined, and !!js/regexp by default. These tags allow YAML documents to contain embedded JavaScript code that gets executed during parsing.
Secure implementations should use yaml.load() with the JSON_SCHEMA or FAILSAFE_SCHEMA option, or use the yaml.safeLoad() function (deprecated in newer versions) to prevent execution of JavaScript tags. The vulnerable code path in PraisonAI did not implement these safeguards.
Attack Vector
The attack is network-based with low complexity and requires no privileges or user interaction. An attacker can exploit this vulnerability through the following attack flow:
- The attacker crafts a malicious YAML file containing JavaScript code embedded in dangerous YAML tags such as !!js/function
- The attacker uploads this file through the PraisonAI API endpoint that accepts agent definition files
- When AgentService.loadAgentFromFile processes the uploaded file, js-yaml parses the YAML content
- During parsing, the malicious JavaScript code is instantiated and executed on the server
- The attacker achieves remote code execution with the privileges of the PraisonAI application process
The vulnerability can be exploited to execute arbitrary system commands, exfiltrate sensitive data, establish persistent backdoors, or pivot to other systems on the network.
Detection Methods for CVE-2026-39890
Indicators of Compromise
- Unusual YAML files in agent definition directories containing !!js/function, !!js/undefined, or other JavaScript-specific tags
- Unexpected child processes spawned by the PraisonAI Node.js process
- Anomalous network connections originating from the PraisonAI server to external destinations
- Suspicious entries in application logs showing agent file uploads followed by system-level activity
Detection Strategies
- Monitor API endpoints for uploads containing YAML files with JavaScript-specific tags using web application firewall (WAF) rules
- Implement file content scanning for patterns matching !!js/ prefixes in uploaded YAML documents
- Deploy endpoint detection and response (EDR) solutions to identify anomalous process execution from the PraisonAI application
- Audit application logs for unusual agent definition file loading activity
Monitoring Recommendations
- Enable verbose logging on the AgentService component to track all file parsing operations
- Configure SIEM alerts for process spawning events from the PraisonAI runtime
- Monitor outbound network traffic from the application server for unexpected connections
- Implement file integrity monitoring on directories where agent definitions are stored
How to Mitigate CVE-2026-39890
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.115 or later immediately
- Review recent agent definition file uploads for malicious YAML content containing JavaScript tags
- Audit server systems running vulnerable versions for signs of compromise
- Restrict network access to the agent definition upload API endpoint until patching is complete
Patch Information
This vulnerability is fixed in PraisonAI version 4.5.115. Organizations should upgrade to this version or later as soon as possible. For detailed information about the vulnerability and the fix, refer to the GitHub Security Advisory.
Workarounds
- Implement input validation at the network perimeter to block YAML files containing !!js/ tags before they reach the application
- Restrict access to the agent definition upload API to trusted IP addresses only
- Deploy a reverse proxy with content inspection capabilities to filter malicious YAML payloads
- Run the PraisonAI service with minimal system privileges to limit the impact of successful exploitation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
