What happened
PraisonAI's prompt-injection defense only blocks threats classified as CRITICAL, which requires three or more detector families to match simultaneously. Attackers can craft single- or double-vector prompt injections that evade CRITICAL classification while still achieving the injection's intended effect, bypassing the defense entirely.
Why it matters
This is a direct bypass of a purpose-built prompt-injection defense mechanism in an agentic AI framework — demonstrating that multi-detector-family AND-gating thresholds create exploitable gaps rather than robust protection, a cautionary finding for any framework using similar ensemble-based prompt-injection detection.
Attack vector
Attacker crafts prompt injection using only one or two detector-triggering vectors to stay below the three-detector-family CRITICAL threshold, evading the defense while still achieving injection effects
Affected systems
PraisonAI (pip package praisonaiagents) < 4.6.78
Mitigation
Upgrade to PraisonAI ≥4.6.78