HighPublic exploit

Template Injection in PraisonAI create_agent_centric_tools

IdentifiersCVE-2026-39891CWE-94· Improper Control of Generation of…

CVE-2026-39891 affects PraisonAI, a multi-agent teams system, in versions prior to 4.5.115. The flaw is in create_agent_centric_tools(), which returns tools such as acp_create_file that process file content using template rendering. When user-controlled input supplied via agent.start() is passed directly into these tools without proper escaping, template expressions embedded in that input are evaluated instead of being handled as literal text. This results in server-side template injection / code-generation-style injection behavior in the tool-processing path.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow an attacker with the ability to supply input to the affected agent workflow to cause unintended execution of template expressions during file-content processing. Based on the provided CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), the impact is high across confidentiality, integrity, and availability, potentially enabling unauthorized access to sensitive data, modification of generated or written content, and disruption of service or application behavior.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, avoid passing untrusted or externally influenced input directly into agent-centric tools that render templates, including tools such as acp_create_file. Apply strict input validation and escaping for template metacharacters, disable or restrict template expression evaluation where feasible, and limit which users or components can invoke the affected agent workflows until the fixed version is deployed.

Remediation

Patch, then assume compromise.

Upgrade PraisonAI to version 4.5.115 or later, which fixes the issue. Ensure that any user-controlled data passed from agent.start() into tools returned by create_agent_centric_tools() is treated as untrusted input and is properly escaped or otherwise prevented from being interpreted as template syntax.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

PraisonPraisonaiapplication

PraisonAIPraisonaiapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cvefeed high severityNews

Apr 8, 2026

CVE-2026-39891 - PraisonAI has a Template Injection in Agent Tool Definitions

A code injection vulnerability in PraisonAI prior to version 4.5.115 where unescaped user input passed into template-rendering tools can cause template expressions to be executed instead of treated as literal text.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-39891

NVD

nvd.nist.gov/vuln/detail/CVE-2026-39891

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

Vendor Advisory

github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg