Vulnerability-Lookup

CVE-2026-56074 (GCVE-0-2026-56074)

Vulnerability from cvelistv5 – Published: 2026-06-18 22:12 – Updated: 2026-06-22 12:45

Title

PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching

Summary

PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.

Severity

6.8 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

SSVC

Exploitation: poc Automatable: no Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-863 - Incorrect Authorization

Assigner

VulnCheck

References

2 references

URL	Tags
https://github.com/MervinPraison/PraisonAI/securi…	vendor-advisory
https://www.vulncheck.com/advisories/praisonai-to…	third-party-advisory

Impacted products

1 product

Vendor	Product	Version
PraisonAI	PraisonAI	Affected: 0 , < 1.5.128 (semver) Unaffected: 1.5.128 (semver)

Date Public

2026-04-09 00:00

Credits

offset

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-56074",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-22T12:44:29.875373Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-22T12:45:20.930Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "PraisonAI",
          "vendor": "PraisonAI",
          "versions": [
            {
              "lessThan": "1.5.128",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "1.5.128",
              "versionType": "semver"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "1.5.128",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "offset"
        }
      ],
      "datePublic": "2026-04-09T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.8,
            "baseSeverity": "MEDIUM",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "NONE",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-863",
              "description": "Incorrect Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-18T22:12:22.730Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GHSA Advisory GHSA-ffp3-3562-8cv3",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
        },
        {
          "name": "VulnCheck Advisory: PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching"
        }
      ],
      "title": "PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-56074",
    "datePublished": "2026-06-18T22:12:22.730Z",
    "dateReserved": "2026-06-18T15:57:20.434Z",
    "dateUpdated": "2026-06-22T12:45:20.930Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-56074\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-06-22T12:44:29.875373Z\"}}}], \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-06-22T12:45:09.488Z\"}}], \"cna\": {\"title\": \"PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"offset\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 6.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"NONE\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\"}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.5, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"PraisonAI\", \"product\": \"PraisonAI\", \"versions\": [{\"status\": \"affected\", \"version\": \"0\", \"lessThan\": \"1.5.128\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"1.5.128\", \"versionType\": \"semver\"}], \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-04-09T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3\", \"name\": \"GHSA Advisory GHSA-ffp3-3562-8cv3\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching\", \"name\": \"VulnCheck Advisory: PraisonAI - Tool Approval Cache Bypass via Coarse-Grained Caching\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"Incorrect Authorization\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"1.5.128\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-06-18T22:12:22.730Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-56074\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-06-22T12:45:20.930Z\", \"dateReserved\": \"2026-06-18T15:57:20.434Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-06-18T22:12:22.730Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-56074

Vulnerability from fkie_nvd - Published: 2026-06-18 23:16 - Updated: 2026-06-18 23:16

Severity

5.5 (Medium) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Summary

References

	URL	Tags
	disclosure@vulncheck.com	https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3
	disclosure@vulncheck.com	https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "affected": [
    {
      "affectedData": [
        {
          "defaultStatus": "unaffected",
          "product": "PraisonAI",
          "vendor": "PraisonAI",
          "versions": [
            {
              "lessThan": "1.5.128",
              "status": "affected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "1.5.128",
              "versionType": "semver"
            }
          ]
        }
      ],
      "source": "disclosure@vulncheck.com"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "PraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent."
    }
  ],
  "id": "CVE-2026-56074",
  "lastModified": "2026-06-18T23:16:19.213",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 3.6,
        "source": "disclosure@vulncheck.com",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.8,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "NONE",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-06-18T23:16:19.213",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
    },
    {
      "source": "disclosure@vulncheck.com",
      "url": "https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Primary"
    }
  ]
}

GHSA-FFP3-3562-8CV3

Vulnerability from github – Published: 2026-04-10 19:28 – Updated: 2026-06-19 21:33

Summary

PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands

Details

Summary

The approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves execute_command for any command (e.g., ls -la), all subsequent execute_command calls in that execution context bypass the approval prompt entirely. Combined with os.environ.copy() passing all process environment variables to subprocesses, this allows an LLM agent (potentially via prompt injection) to silently exfiltrate API keys and credentials without further user consent.

Details

The require_approval decorator in src/praisonai-agents/praisonaiagents/approval/__init__.py:176-178 checks approval status by tool name only:

@wraps(func)
def wrapper(*args, **kwargs):
    if is_already_approved(tool_name):   # line 177 — checks only tool_name
        return func(*args, **kwargs)     # line 178 — bypasses ALL approval

The mark_approved function in registry.py:144-147 stores only the tool name string:

def mark_approved(self, tool_name: str) -> None:
    approved = self._approved_context.get(set())
    approved.add(tool_name)              # stores "execute_command", not args
    self._approved_context.set(approved)

The approval context is never cleared during agent execution — clear_approved() exists (registry.py:152) but is never called in the agent's tool execution path (agent/tool_execution.py).

Meanwhile, the ConsoleBackend UI at backends.py:95-96 misleads the user:

return Confirm.ask(
    f"Do you want to execute this {request.risk_level} risk tool?",
    # "this" implies per-invocation approval
)

The UI displays the specific command arguments (lines 81-85), creating a reasonable expectation that the user is approving only that specific invocation.

Additionally, shell_tools.py:77 passes the full process environment to every subprocess:

process_env = os.environ.copy()  # includes OPENAI_API_KEY, etc.

There is no command filtering, blocklist, or environment variable sanitization in the shell tools module.

PoC

from praisonaiagents import Agent
from praisonaiagents.tools.shell_tools import execute_command

# Step 1: Create agent with shell tool
agent = Agent(
    name="worker",
    instructions="You are a helpful assistant.",
    tools=[execute_command]
)

# Step 2: Agent requests benign command — user sees Rich panel:
#   Function: execute_command
#   Risk Level: CRITICAL
#   Arguments:
#     command: ls -la
#   "Do you want to execute this critical risk tool?" [y/N]
# User approves → mark_approved("execute_command") is called

# Step 3: All subsequent execute_command calls bypass approval silently:
# execute_command(command="env")
#   → returns ALL environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, etc.)
#   → NO approval prompt shown

# Step 4: Targeted extraction also bypasses approval:
# execute_command(command="printenv OPENAI_API_KEY")
#   → returns the specific API key
#   → NO approval prompt shown

# Verification: check the approval cache
from praisonaiagents.approval import is_already_approved
# After approving "ls -la":
# is_already_approved("execute_command") → True
# Any execute_command call now returns immediately at __init__.py:177-178

Impact

Secret exfiltration: An LLM agent (or one subjected to prompt injection) can dump all process environment variables after a single benign command approval. Common secrets include OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, DATABASE_URL, and any other credentials passed via environment.
Misleading consent UI: The console prompt displays specific arguments and uses language ("this tool") that implies per-invocation consent, but the system grants session-wide blanket approval.
No expiration or scope: The approval cache uses a ContextVar that persists for the entire agent execution context with no timeout, no command-count limit, and no clearing between tool calls.
No environment filtering: os.environ.copy() passes every environment variable to subprocesses without filtering sensitive patterns.

Recommended Fix

Per-invocation approval for critical tools — store a hash of (tool_name, arguments) instead of just tool_name, or require re-approval for each invocation of critical-risk tools:

# In registry.py — change mark_approved/is_already_approved:
import hashlib, json

def mark_approved(self, tool_name: str, arguments: dict = None) -> None:
    approved = self._approved_context.get(set())
    risk = self._risk_levels.get(tool_name)
    if risk == "critical" and arguments:
        key = f"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}"
    else:
        key = tool_name
    approved.add(key)
    self._approved_context.set(approved)

def is_already_approved(self, tool_name: str, arguments: dict = None) -> bool:
    approved = self._approved_context.get(set())
    risk = self._risk_levels.get(tool_name)
    if risk == "critical" and arguments:
        key = f"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}"
        return key in approved
    return tool_name in approved

Filter environment variables in shell_tools.py:

SENSITIVE_PATTERNS = ('_KEY', '_SECRET', '_TOKEN', '_PASSWORD', '_CREDENTIAL')

process_env = {
    k: v for k, v in os.environ.items()
    if not any(p in k.upper() for p in SENSITIVE_PATTERNS)
}
if env:
    process_env.update(env)

Severity

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.5.128"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-56074"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-10T19:28:38Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nThe approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves `execute_command` for any command (e.g., `ls -la`), all subsequent `execute_command` calls in that execution context bypass the approval prompt entirely. Combined with `os.environ.copy()` passing all process environment variables to subprocesses, this allows an LLM agent (potentially via prompt injection) to silently exfiltrate API keys and credentials without further user consent.\n\n## Details\n\nThe `require_approval` decorator in `src/praisonai-agents/praisonaiagents/approval/__init__.py:176-178` checks approval status by tool name only:\n\n```python\n@wraps(func)\ndef wrapper(*args, **kwargs):\n    if is_already_approved(tool_name):   # line 177 \u2014 checks only tool_name\n        return func(*args, **kwargs)     # line 178 \u2014 bypasses ALL approval\n```\n\nThe `mark_approved` function in `registry.py:144-147` stores only the tool name string:\n\n```python\ndef mark_approved(self, tool_name: str) -\u003e None:\n    approved = self._approved_context.get(set())\n    approved.add(tool_name)              # stores \"execute_command\", not args\n    self._approved_context.set(approved)\n```\n\nThe approval context is never cleared during agent execution \u2014 `clear_approved()` exists (`registry.py:152`) but is never called in the agent\u0027s tool execution path (`agent/tool_execution.py`).\n\nMeanwhile, the `ConsoleBackend` UI at `backends.py:95-96` misleads the user:\n\n```python\nreturn Confirm.ask(\n    f\"Do you want to execute this {request.risk_level} risk tool?\",\n    # \"this\" implies per-invocation approval\n)\n```\n\nThe UI displays the specific command arguments (lines 81-85), creating a reasonable expectation that the user is approving only that specific invocation.\n\nAdditionally, `shell_tools.py:77` passes the full process environment to every subprocess:\n\n```python\nprocess_env = os.environ.copy()  # includes OPENAI_API_KEY, etc.\n```\n\nThere is no command filtering, blocklist, or environment variable sanitization in the shell tools module.\n\n## PoC\n\n```python\nfrom praisonaiagents import Agent\nfrom praisonaiagents.tools.shell_tools import execute_command\n\n# Step 1: Create agent with shell tool\nagent = Agent(\n    name=\"worker\",\n    instructions=\"You are a helpful assistant.\",\n    tools=[execute_command]\n)\n\n# Step 2: Agent requests benign command \u2014 user sees Rich panel:\n#   Function: execute_command\n#   Risk Level: CRITICAL\n#   Arguments:\n#     command: ls -la\n#   \"Do you want to execute this critical risk tool?\" [y/N]\n# User approves \u2192 mark_approved(\"execute_command\") is called\n\n# Step 3: All subsequent execute_command calls bypass approval silently:\n# execute_command(command=\"env\")\n#   \u2192 returns ALL environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, etc.)\n#   \u2192 NO approval prompt shown\n\n# Step 4: Targeted extraction also bypasses approval:\n# execute_command(command=\"printenv OPENAI_API_KEY\")\n#   \u2192 returns the specific API key\n#   \u2192 NO approval prompt shown\n\n# Verification: check the approval cache\nfrom praisonaiagents.approval import is_already_approved\n# After approving \"ls -la\":\n# is_already_approved(\"execute_command\") \u2192 True\n# Any execute_command call now returns immediately at __init__.py:177-178\n```\n\n## Impact\n\n- **Secret exfiltration**: An LLM agent (or one subjected to prompt injection) can dump all process environment variables after a single benign command approval. Common secrets include `OPENAI_API_KEY`, `AWS_SECRET_ACCESS_KEY`, `DATABASE_URL`, and any other credentials passed via environment.\n- **Misleading consent UI**: The console prompt displays specific arguments and uses language (\"this tool\") that implies per-invocation consent, but the system grants session-wide blanket approval.\n- **No expiration or scope**: The approval cache uses a `ContextVar` that persists for the entire agent execution context with no timeout, no command-count limit, and no clearing between tool calls.\n- **No environment filtering**: `os.environ.copy()` passes every environment variable to subprocesses without filtering sensitive patterns.\n\n## Recommended Fix\n\n1. **Per-invocation approval for critical tools** \u2014 store a hash of `(tool_name, arguments)` instead of just `tool_name`, or require re-approval for each invocation of critical-risk tools:\n\n```python\n# In registry.py \u2014 change mark_approved/is_already_approved:\nimport hashlib, json\n\ndef mark_approved(self, tool_name: str, arguments: dict = None) -\u003e None:\n    approved = self._approved_context.get(set())\n    risk = self._risk_levels.get(tool_name)\n    if risk == \"critical\" and arguments:\n        key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n    else:\n        key = tool_name\n    approved.add(key)\n    self._approved_context.set(approved)\n\ndef is_already_approved(self, tool_name: str, arguments: dict = None) -\u003e bool:\n    approved = self._approved_context.get(set())\n    risk = self._risk_levels.get(tool_name)\n    if risk == \"critical\" and arguments:\n        key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n        return key in approved\n    return tool_name in approved\n```\n\n2. **Filter environment variables** in `shell_tools.py`:\n\n```python\nSENSITIVE_PATTERNS = (\u0027_KEY\u0027, \u0027_SECRET\u0027, \u0027_TOKEN\u0027, \u0027_PASSWORD\u0027, \u0027_CREDENTIAL\u0027)\n\nprocess_env = {\n    k: v for k, v in os.environ.items()\n    if not any(p in k.upper() for p in SENSITIVE_PATTERNS)\n}\nif env:\n    process_env.update(env)\n```",
  "id": "GHSA-ffp3-3562-8cv3",
  "modified": "2026-06-19T21:33:09Z",
  "published": "2026-04-10T19:28:38Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56074"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    },
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands"
}

GHSA-X44P-GG67-52FC

Vulnerability from github – Published: 2026-06-19 00:31 – Updated: 2026-06-19 21:32

Summary

Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands

Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-ffp3-3562-8cv3. This link is maintained to preserve external references.

Original Description

Severity

5.5 (Medium)


                  
                    CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

6.8 (Medium)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 4.5.128"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:32:50Z",
    "nvd_published_at": "2026-06-18T23:16:19Z",
    "severity": "MODERATE"
  },
  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of\u00a0GHSA-ffp3-3562-8cv3. This link is maintained to preserve external references.\n\n## Original Description\nPraisonAI before 1.5.128 caches tool approval decisions by tool name only, not by invocation arguments, allowing subsequent execute_command calls to bypass approval prompts. Attackers can exploit this by obtaining initial approval for a benign command, then silently exfiltrate API keys and credentials via subsequent shell commands without user consent.",
  "id": "GHSA-x44p-gg67-52fc",
  "modified": "2026-06-19T21:32:50Z",
  "published": "2026-06-19T00:31:37Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-56074"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/praisonai-tool-approval-cache-bypass-via-coarse-grained-caching"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Duplicate Advisory: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands",
  "withdrawn": "2026-06-19T21:32:50Z"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-56074 (GCVE-0-2026-56074)

FKIE_CVE-2026-56074

GHSA-FFP3-3562-8CV3

Summary

Details

PoC

Impact

Recommended Fix

GHSA-X44P-GG67-52FC

Duplicate Advisory

Original Description

Tags

Sightings

Nomenclature