GHSA-4869-x4pr-q22x: PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass

June 18, 2026

An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two weaknesses: the /api/v1/runs endpoint requires no credentials, and a top-level approve field in the submitted YAML unconditionally bypasses the @require_approval safety decorator on dangerous tools such as execute_command.

Ecosystem: pip | Package: praisonai | Affected: <= 4.6.48 | Patched: (none)

References

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4869-x4pr-q22x
github.com/advisories/GHSA-4869-x4pr-q22x

Code Behaviors & Features

Detect and mitigate GHSA-4869-x4pr-q22x with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →