ctipilot.ch

PraisonAI PGVector/Cassandra knowledge store — SQL/CQL injection via unvalidated vector dimension (CVSS 9.3)

cve · CVE-2026-60090

Coverage timeline
1
first 2026-07-11 → last 2026-07-11
Peak priority
notable
1 notable
Sources cited
4
2 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
2
see Related entities below
ATT&CK techniques
4
pinned v19.1 · see below

Hunting pivots

Affected products
PraisonAI

ATT&CK techniques

4 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1190Exploit Public-Facing Application×1

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network. The weakness in the system can be a software bug, a temporary glitch, or a misconfiguration.

Evidence: 2026-07-11/praisonai-agentic-framework-three-cves-code-exec-rce-ddli · ATT&CK page ↗

Execution TA0002

T1059.004Command and Scripting Interpreter: Unix Shell×1

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux, macOS, and ESXi systems, though many variations of the Unix shell exist (e.g. sh, ash, bash, zsh, etc.) depending on the specific OS or distribution. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Evidence: 2026-07-11/praisonai-agentic-framework-three-cves-code-exec-rce-ddli · ATT&CK page ↗

T1059.006Command and Scripting Interpreter: Python×1

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Evidence: 2026-07-11/praisonai-agentic-framework-three-cves-code-exec-rce-ddli · ATT&CK page ↗

Credential Access TA0006

T1552Unsecured Credentials×1

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. Shell History), operating system or application-specific repositories (e.g. Credentials in Registry), or other specialized files/artifacts (e.g. Private Keys).

Evidence: 2026-07-11/praisonai-agentic-framework-three-cves-code-exec-rce-ddli · ATT&CK page ↗

Story timeline

  1. 2026-07-11PraisonAI agent framework: three CVEs — unsandboxed LLM code execution, tool-call RCE, and vector-store DDL injection
    trending-vulnerabilitiesPraisonAI: three critical CVEs — unsandboxed LLM code execution leaks all env secrets, plus tool-call RCE and DDL injection

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • github.com3 (75%)
  • thehackerwire.com1 (25%)

Co-occurring entities

Derived — referenced by the same entries; ×N counts the shared entries.

Entries about PraisonAI PGVector/Cassandra knowledge store — SQL/CQL injection via unvalidated vector dimension (CVSS 9.3) (1)

2026-07-11 · view entry permalink →

NOTABLECVE-2026-61447 +2NATOA2

PraisonAI agent framework: three CVEs — unsandboxed LLM code execution, tool-call RCE, and vector-store DDL injection

Three CVEs were published together on 2026-07-11 (NVD/EUVD) in PraisonAI — an open-source multi-agent LLM orchestration framework distributed as the praisonaiagents and praisonai pip packages. The first two share one root cause: the framework treats model output as trusted, so an attacker who can influence the LLM (via prompt injection in agent input, ingested documents, or tool results) reaches code execution without touching a classic network listener. CVE-2026-61447 (CVSS 10.0) is in CodeAgent._execute_python() (src/praisonai-agents/praisonaiagents/agent/code_agent.py, lines 253–308): LLM-generated Python is written to a temp file and run via subprocess.run(["python", temp_file], env=os.environ.copy()) with no AST validation and no import restrictions, and CodeConfig declares sandbox: bool = True (line 21) that the execution path never reads — so the flag is inert and the subprocess inherits every credential in the parent environment (OPENAI_API_KEY, DATABASE_URL, cloud tokens) (PraisonAI GHSA-2xv2-w8cq-5gxw, 2026-06-25). The advisory contrasts this with the framework's own sandboxed execute_code tool, which runs with an empty environment.

CVE-2026-61445 (CVSS 9.4) is in the AICoder chat-UI component, which exposes write_to_file and execute_command tools to the model with no path validation or command sanitization; apply_llm_response joins the caller path with os.path.join(self.cwd, args["path"]), which does not block absolute paths, so a model-driven write can land at /etc/crontab or /root/.ssh/authorized_keys, and the advisory notes containers commonly run as root, turning tool-call abuse into full in-container compromise (PraisonAI GHSA-9mp3-24cc-77mg, 2026-06-25). CVE-2026-60090 (CVSS 9.3) is a different bug class with no LLM nexus — a classic SQL/CQL injection reachable by any caller who can influence collection-creation parameters (for example through a RAG ingestion API), not through the model: the PGVector and Cassandra knowledge-store backends validate schema/keyspace/collection identifiers but interpolate the caller-supplied dimension value straight into the CREATE TABLE/CQL vector-column DDL, and the int type hint is not enforced at runtime, so a value like 3); DROP TABLE tenant_secrets; -- reaches the database driver (PraisonAI GHSA-wf65-4jjx-q444, 2026-06-25). The three CVEs — VulnCheck-assigned and carried on ENISA EUVD and NVD with CVSS 4.0 vectors consistent with the assigned scores — were also independently re-reported the same day (TheHackerWire, 2026-07-11).

The exposure is narrow — self-hosted agent deployments, most likely in AI-pilot and innovation teams rather than production estate — but the transferable lesson is in the first two bugs: in an agentic framework the model's output is an execution surface, so the same detection thinking applies to any self-hosted LLM/agent tooling (CVE-2026-60090 is a conventional injection that the usual input-validation hygiene covers). Detection concepts, telemetry-class first: in process-creation telemetry with parent lineage (Sysmon EID 1, auditd execve, EDR process events), surface script interpreters (python, sh) whose parent is the agent-hosting Python process — and, more discriminating, where that child then reads credential-shaped environment variables or opens outbound connections; in the framework's own tool-call audit log, flag write_to_file / execute_command invocations whose arguments point outside the declared workspace (/etc/, ~/.ssh/, cron paths); and in database audit logs, flag knowledge-store DDL carrying non-integer tokens (semicolons, comment sequences) in the vector-dimension position.

CodeAgent._execute_python() executes LLM-generated Python code in a subprocess with the complete parent-process environment (os.environ.copy()), zero AST validation, zero import restrictions, and no sandbox enforcement — even when CodeConfig(sandbox=True) is explicitly set.

sandbox=True is dead code

**Root access**: All Docker containers run as root (no USER directive)

A caller that can influence collection creation dimensions can append SQL/CQL tokens to the generated DDL executed by the database driver.

PraisonAI / MervinPraison (GitHub Security Advisory) 2026-06-25
vulnerability11 Jul 20:25Zmulti-sourceOpen finding ↗