CVE-2026-39891 Overview
CVE-2026-39891 is a Code Injection vulnerability affecting PraisonAI, a multi-agent teams system. Prior to version 4.5.115, the create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without proper escaping, template expressions embedded in the input are executed rather than treated as literal text. This creates a template injection vulnerability that can be exploited by authenticated attackers with network access.
Critical Impact
Attackers with low privileges can inject malicious template expressions that get executed on the server, potentially leading to unauthorized code execution, data exfiltration, or complete system compromise.
Affected Products
- PraisonAI versions prior to 4.5.115
Discovery Timeline
- 2026-04-08 - CVE CVE-2026-39891 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-39891
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The root issue lies in how PraisonAI's agent-centric tools handle template rendering when processing user-supplied input. The vulnerability requires an authenticated user with network access, but once those conditions are met, exploitation requires low complexity and no user interaction.
The impact is severe across the CIA triad—attackers can potentially achieve high confidentiality impact through data exfiltration, high integrity impact through unauthorized modifications, and high availability impact through system disruption. The unchanged scope indicates the vulnerability is contained within the affected component's security authority.
Root Cause
The create_agent_centric_tools() function generates tools that utilize template rendering engines to process file content. The fundamental flaw is the absence of input sanitization or escaping mechanisms before user-controlled data is passed into the template rendering context. When agent.start() receives user input containing template syntax (such as {{ }} expressions or similar template directives), this input flows directly into tools like acp_create_file where the template engine interprets and executes these expressions instead of treating them as literal strings.
Attack Vector
The attack vector is network-based, requiring the attacker to have low-level privileges (authenticated access) to the PraisonAI system. An attacker can craft malicious input containing template injection payloads and submit them through the agent.start() entry point. When the agent-centric tools process this input through the template rendering engine, the injected template expressions are evaluated, allowing arbitrary code execution within the template engine's context.
The exploitation mechanism involves embedding malicious template expressions within data that gets processed by the vulnerable tools. Depending on the template engine used, attackers could potentially access internal objects, execute system commands, read sensitive files, or perform other malicious operations permitted by the template engine's capabilities.
For detailed technical information and proof-of-concept details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-39891
Indicators of Compromise
- Unusual template syntax patterns (e.g., {{ }}, {% %}, ${ }) appearing in user input logs or agent interaction records
- Unexpected file creation or modification by acp_create_file or similar agent tools
- Error logs indicating template rendering failures with suspicious payloads
- Anomalous process spawning or network connections originating from the PraisonAI application
Detection Strategies
- Implement input validation monitoring to detect template injection patterns in user-submitted data
- Deploy application-level logging to capture all inputs processed by agent.start() and agent-centric tools
- Configure intrusion detection systems to alert on common template injection signatures
- Enable runtime application self-protection (RASP) to detect and block template injection attempts
Monitoring Recommendations
- Monitor PraisonAI application logs for template rendering errors or exceptions
- Establish baseline behavior for agent-centric tool operations and alert on deviations
- Track file system changes initiated by PraisonAI processes for unexpected modifications
- Implement real-time alerting for suspicious input patterns reaching the template engine
How to Mitigate CVE-2026-39891
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.115 or later immediately
- Audit recent agent interactions for signs of exploitation attempts
- Review application logs for suspicious template syntax in user inputs
- Restrict network access to PraisonAI instances to trusted users and networks
Patch Information
The vulnerability has been fixed in PraisonAI version 4.5.115. The patch addresses the template injection issue by implementing proper input escaping before user data is processed by the template rendering engine. Organizations should update to the patched version as soon as possible. Refer to the GitHub Security Advisory for additional patch details.
Workarounds
- If immediate patching is not possible, restrict access to PraisonAI to only trusted, authenticated users
- Implement a web application firewall (WAF) with rules to detect and block template injection payloads
- Disable or restrict access to agent-centric tools like acp_create_file until the patch can be applied
- Monitor and sanitize all user inputs at the application boundary before they reach agent processing functions
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
