On 11 July, a new critical vulnerability landed in PraisonAI, the open source multi-agent framework used to build autonomous coding and workflow agents. CVE-2026-61447 carries a CVSS score of 10.0, the maximum possible, and the root cause is about as direct as vulnerabilities get: PraisonAI’s CodeAgent._execute_python() function runs Python code generated by the underlying language model with no abstract syntax tree validation, no import restrictions, and no sandbox enforcement at all. An attacker who can influence the agent’s input, through a malicious document, a poisoned tool response, or any other prompt injection vector, can steer the model into generating Python that reads environment secrets, writes files, or opens a shell, and the framework will simply run it.
A framework with a pattern, not a one-off bug
CVE-2026-61447 is not PraisonAI’s first serious security incident this year. In April, researchers disclosed CVE-2026-39890, a critical RCE via insecure YAML parsing in agent definition loading, rated 9.8. In May, an authentication bypass tracked as CVE-2026-44338 was disclosed and, according to multiple independent write-ups, was being actively scanned within roughly four hours by an automated tool identifying itself as CVE-Detector, with a single unauthenticated request against the vulnerable endpoint confirming the bypass worked. The pattern across all of these is the same: PraisonAI has repeatedly shipped functionality that trusts model output or configuration input as if it were reviewed code, and the fixes have followed disclosure rather than preceded it. The affected package, praisonaiagents, is patched in version 1.6.78 and later.
Why the exploitation window keeps shrinking
The four-hour scan-to-exploit time on the May authentication bypass is the detail worth sitting with. Attackers, or their automated tooling, are now watching CVE feeds for newly disclosed agent framework vulnerabilities and probing internet-exposed instances essentially as soon as an advisory goes public. That compresses the old assumption that a security team has days or weeks to patch before mass scanning begins into a window measured in hours. Agent frameworks are a particularly attractive target for this kind of automated probing because a successful exploit does not just compromise a server, it compromises whatever the agent had access to, which in a production deployment often includes API keys, cloud credentials, and internal data sources.
What this means if your business is deploying AI agents
Any organisation running PraisonAI should upgrade to 1.6.78 or later immediately and audit whether CodeAgent or similar unsandboxed code-execution components are reachable from anything an external user or document can influence. More broadly, this is a useful moment to check every agent framework in your stack, not just PraisonAI, for the same failure pattern: does generated code, model output, or a config file get executed with the same trust as human-reviewed source, and is that execution actually sandboxed. Teams evaluating or already running agentic AI tooling in production should treat “does this framework sandbox generated code execution” as a procurement question, not an afterthought.
If you are deploying AI agent frameworks and want a security review before they touch production data, or need help auditing your existing deployment against vulnerabilities like this one, contact Excello Digital. We help European businesses adopt agentic AI without inheriting its newest attack surface.
