{"data":{"id":"797606b6-cb26-4592-9419-6aa956443824","title":"GHSA-ffp3-3562-8cv3: PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands","summary":"PraisonAI Agents has a security flaw where tool approval decisions are cached by tool name only, not by the specific command arguments. Once a user approves the `execute_command` tool (a function that runs shell commands) for any command like `ls -la`, all future shell commands in that session bypass the approval prompt entirely. Combined with the fact that all environment variables (including API keys and credentials) are passed to subprocesses, an LLM agent can silently steal sensitive data without asking permission again.","solution":"N/A -- no mitigation discussed in source.","labels":["security","safety"],"sourceUrl":"https://github.com/advisories/GHSA-ffp3-3562-8cv3","publishedAt":"2026-04-10T19:28:38.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["prompt_injection","pii_leakage"],"issueType":"vulnerability","affectedPackages":["praisonaiagents@< 4.5.128 (fixed: 4.5.128)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["PraisonAI","OpenAI","AWS"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":true,"disclosureDate":"2026-04-10T19:28:38.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.92,"researchCategory":null,"atlasIds":null}}