Agents
PraisonAI CVE Cluster: Five Critical Vulnerabilities Expose Multi-Agent Framework to RCE, SQL Injection, and Sandbox Escape
Five CVEs disclosed April 3-4 in PraisonAI, a popular multi-agent orchestration framework: CVE-2026-34938 (CVSS 10, sandbox bypass to RCE affecting versions < 1.5.90), CVE-2026-34934 (CVSS 9.8, SQL injection via f-string thread IDs), CVE-2026-34935 (CVSS 9.8, CLI command injection via --mcp argument), CVE-2026-34952 (CVSS 9.1, unauthenticated WebSocket agent control), and CVE-2026-34955 (CVSS 8.8, SubprocessSandbox escape via missing sh/bash blocklist). The CVSS 10 vulnerability bypasses all three sandbox layers — this mirrors the CrewAI CVE cluster disclosed last week and confirms that multi-agent framework sandboxing remains systematically broken across the ecosystem.
Source
↳ Follow the thread