What happened
PraisonAI's UI modules hardcode approval_mode to 'auto', ignoring the administrator's PRAISON_APPROVAL_MODE environment variable configuration. This means any authenticated user can direct the LLM agent to execute arbitrary shell commands via subprocess.run with shell=True, bypassing the manual approval gate designed to prevent unauthorized command execution. Published 2026-06-18, CVSS 8.8 HIGH.
Why it matters
In AI agent deployments, approval gates are a primary safety control preventing agents from taking destructive actions. Hardcoding auto-approval completely nullifies administrator-configured human oversight for shell execution — a core agentic security control — allowing lateral movement, data exfiltration, or full host compromise from any authenticated session.
Attack vector
Authenticated attacker instructs the LLM agent via the UI to run a shell command. The UI module hardcodes approval_mode=auto, overriding the administrator-set PRAISON_APPROVAL_MODE environment variable that would require manual approval. The agent executes the command via subprocess.run(shell=True) with insufficient blocklist sanitization.
Affected systems
PraisonAI < 4.5.128
Mitigation
Upgrade to PraisonAI 4.5.128 or later. Advisory: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qwgj-rrpj-75xm