AI Sec Watch

PraisonAIAgents is a system that coordinates multiple AI agents working together as teams. Before version 1.5.128, the web_crawl() function didn't check URLs before fetching them, allowing attackers or malicious content to trick agents into accessing sensitive internal systems, cloud configuration data, or local files through specially crafted URLs like file:// paths.

PraisonAIAgents (a system that coordinates multiple AI agents working together) versions before 1.5.128 contain a vulnerability in the read_skill_file() function that allows reading any file from a computer's filesystem without restrictions. An attacker using prompt injection (tricking an AI by hiding instructions in its input) could exploit this to steal sensitive files, because unlike other file-reading functions in the same system, read_skill_file() lacks both boundary protections and approval requirements.

PraisonAI versions before 4.5.128 have a security flaw in their /media-stream WebSocket endpoint (a connection protocol for real-time communication) that allows anyone to connect without proving who they are or validating they're authorized. When attackers connect, the server automatically opens a session to OpenAI's API using its own credentials, and since there are no limits on how many connections or messages are allowed, an attacker can drain the server's resources and use up the victim's OpenAI API credits.

PraisonAI, a system for managing multiple AI agents working together, had a vulnerability in versions before 4.5.128 where the deploy.py file didn't check if certain configuration values (openai_model, openai_key, and openai_base) contained commas before putting them into a command. Since commas are used as separators in the gcloud deployment command, an attacker could sneak extra commas into these values to inject arbitrary environment variables (settings that control how the deployed service behaves) into the cloud service.

PraisonAI, a system that uses multiple AI agents to work together as teams, has a vulnerability in versions before 4.5.128 where it displays agent output as HTML without properly cleaning it first. An attacker can inject malicious JavaScript code (code that runs in a web browser) through poisoned data or tricked prompts, and this code will execute when someone views the output.

PraisonAIAgents (a system for running multiple AI agents as teams) has a critical vulnerability in versions before 1.5.128 where user-controlled commands are passed directly to subprocess.run() with shell=True (a function that executes system commands), allowing attackers to inject shell metacharacters (special characters like pipes and semicolons that the shell interprets as instructions) and run arbitrary code. An attacker who gains file-write access through prompt injection (tricking an AI by hiding malicious instructions in its input) can modify the .praisonai/hooks.json configuration file to execute malicious code automatically every time the agent runs.

OpenClaw, a local AI assistant tool, had a security flaw where Git environment variables (special settings that control how Git works) were not being removed before running system commands, potentially allowing attackers to redirect Git operations to malicious locations. This vulnerability affected OpenClaw versions up to 2026.3.30.

LangChain, a framework for building AI agents and applications powered by large language models, had a vulnerability in how it validated f-string templates (a Python feature for inserting variables into text strings). Before versions 0.3.84 and 1.2.28, certain template classes could accept and execute dangerous expressions that should have been blocked, including attribute access and nested replacement fields hidden in format specifiers, which could allow attackers to access unintended data or run unwanted code.

OpenAI announced a new $100 per month Pro subscription tier for ChatGPT that offers five times more usage of Codex (an AI-powered coding assistant that automates tasks and bug fixes for developers) compared to its $20 per month Plus plan. This move is designed to compete with Anthropic's Claude Code, which offers similar high-usage tiers at comparable price points, as coding assistants have become increasingly popular tools for software development.