CVE-2026-39891
PraisonAI has Template Injection in Agent Tool Definitions
Description
## Summary Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions. ## Details The `create_agent_centric_tools()` function returns tools (like `acp_create_file`) that process file content using template rendering. When user input from `agent.start()` is passed directly into these tools without escaping (as shown in `agent_centric_example.py:85-86`), template expressions in the input are executed rather than treated as literal text. This occurs because: 1. No input sanitization or escaping is applied to user-controlled content 2. The ACP-enabled runtime auto-approves operations (`approval_mode="auto"`) 3. Tools lack context-aware escaping for template syntax ## PoC ```python # Replace the agent.start() call at line 85 with: result = agent.start('Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned") }}') ``` Successful exploitation creates `/tmp/pwned` confirming arbitrary command execution. The expression `{{7*7}}` renders as `49` instead of literal text. ## Impact Attackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement. ## Recommended Fix 1. **Input Sanitization**: Implement strict whitelist validation for file content 2. **Contextual Escaping**: Auto-escape template syntax characters (e.g., `{{ }}`) in user input using Jinja2 `autoescape=True` 3. **Sandboxing**: Restrict template execution environments using secure eval modes 4. **Approval Hardening**: Require manual approval for file creation operations in production
How to fix CVE-2026-39891
To remediate CVE-2026-39891, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.115 or later
Is CVE-2026-39891 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.