Security
PraisonAI takes security seriously. This page outlines our security policies, how to report vulnerabilities, and best practices for secure deployment.
Supported Versions
Latest (>= 2.0.0)
Actively maintained with security patches
Legacy (< 2.0.0)
Please upgrade to the latest version
Reporting Security Vulnerabilities
If you discover a security vulnerability, please report it responsibly to help protect the community.1
Open Draft Advisory
2
Describe the Issue
Include detailed reproduction steps and impact assessment
3
Allow Time for Fix
Allow time for maintainers to address the issue before public disclosure
What to Include
Vulnerability Description
Vulnerability Description
Clear explanation of the security issue and affected components
Reproduction Steps
Reproduction Steps
Step-by-step instructions to reproduce the vulnerability
Affected Versions
Affected Versions
Which versions of PraisonAI are impacted
Impact Assessment
Impact Assessment
Severity rating and potential consequences
Suggested Fix
Suggested Fix
Optional: Your recommendation for fixing the issue
Security Advisories
View all published security advisories:View Advisories
Browse all published security advisories on GitHub
Report New Issue
Create a new draft security advisory
Recent Security Hardening (PR #2062)
execute_commandblocksDANGEROUS_COMMANDSby default (allow_dangerous=False)search_replaceandappend_to_fileenforce protected paths- Audit log is thread-safe with
get_audit_log().close()lifecycle API - AgentOps init deduplicated — use
is_agentops_available()instead of eagerAGENTOPS_AVAILABLEinobservability/hooks
Recent Security Hardening (PraisonAI #3087)
Commitd1d0272 (fixes #3087) closes a workspace-escape bug in the code-editing tools.
What changed:
apply_diff,search_replace, andappend_to_fileinpraisonai.code.toolspreviously gated their workspace-confinement check behindif workspace:and silently skipped it when no workspace was passed.- All three now default the workspace to
os.getcwd()when unset, and always enforceis_path_within_directory(...)— matching the behaviourwrite_file/read_filealready had.
praisonai.code tools (code_apply_diff, code_search_replace, code_write_file, or the low-level append_to_file) without calling set_workspace(...). Absolute paths outside cwd are now rejected with "Path '<path>' is outside the workspace".
Action required:
Either call set_workspace("/intended/root") before invoking the tools, or ensure the process cwd is the intended workspace root. No action needed if you were already calling set_workspace(...).
See Code Editing → Workspace Security and Protected Paths.
Recent Security Hardening (4.6.34)
PraisonAI 4.6.34 (released May 3, 2026) introduced three critical security fixes that change default behavior:Security Vulnerabilities Fixed
GHSA-9mqq-jqxf-grvw
Critical: Path traversal in MCP rules
GHSA-6rmh-7xcm-cpxj
High: Unauthenticated API by default
GHSA-3643-7v76-5cj2
Medium: SQL identifier injection
Breaking Changes
What changed:- API servers now require authentication by default - anonymous requests return
401 - API servers bind to
127.0.0.1by default instead of0.0.0.0 - MCP rules tools reject unsafe file paths - names like
"../../etc/passwd"now fail - Knowledge backends validate identifiers - collection names must be
[A-Za-z0-9_]+
Recent Security Hardening (next release — Security Batch 10)
PraisonAI’s upcoming release includes 10 security advisories worth of hardening fixes from PR #1684. Several changes are user-facing and breaking.Security Vulnerabilities Fixed
GHSA-4mr5-g6f9-cfrh
Critical: execute_code sandbox escapes
GHSA-5c6w-wwfq-7qqm
High: spider_tools loopback bypass
GHSA-9cr9-25q5-8prj
High: MCP CLI tools path traversal
GHSA-86qc-r5v2-v6x6
High: Call server unauthenticated
GHSA-hvhp-v2gc-268q
Medium: write_file workspace escape
GHSA-5cxw-77wg-jrf3
Medium: @url: mentions SSRF
GHSA-xwq8-frcg-77q8
Low: Cross-workspace IDOR
GHSA-c2m8-4gcg-v22g
Low: Platform RBAC bypass
GHSA-xp85-6wwf-r67c
Low: CI branch injection
GHSA-3qg8-5g3r-79v5
Low: Platform default JWT secret
Breaking Changes
Call server bind hardening (PR #2085, fixes #1602):praisonai call now binds to 127.0.0.1 by default and exposes a --host flag for explicit override. Previously bound to 0.0.0.0 unconditionally while printing a misleading http://localhost:{port} log line. If --host 0.0.0.0 is used without --public, a WARNING is printed at startup. Related advisory: GHSA-86qc-r5v2-v6x6.
Migration for API Server Users
For step-by-step migration instructions, see API Server Authentication.Recent Security Hardening (Batch 2)
PraisonAI Security Batch 2 (merged May 19, 2026) introduces six additional critical security fixes with behavioral changes:Security Vulnerabilities Fixed
GHSA-943m-6wx2-rc2j
High: Platform cross-workspace project access
GHSA-5jx9-w35f-vp65
High: Platform cross-workspace label access
GHSA-4x6r-9v57-3gqw
Medium: Platform cross-workspace dependencies
GHSA-27p4-pjqv-whgj
Medium: Platform cross-workspace activity logs
GHSA-6xj3-927j-6pqw
Medium: Deploy HTML sanitization missing
GHSA-vg22-4gmj-prxw
Low: Tool eval() RCE in examples
Breaking / Behavioral Changes
What changed:- Cross-workspace IDs on platform routes now return 404 instead of leaking data - affects project, label, dependency, and issue-activity routes
- Generated
api.pyfrompraisonai deploynow requires thebleachpackage at runtime for HTML sanitization - Custom tool eval examples switched from
evalto AST allow-list - if you copied the old_safe_evalsnippet, adopt the new pattern (see Safe Tool Eval) WorkspaceService.deletenow also removesMemberrows in the same transaction - no caller action needed but SDK consumers relying on orphaned memberships should re-check fixtures
Hardened Examples
The unsafeeval(expr, {"__builtins__": {}}) pattern in examples has been replaced with an AST-based allow-list that only permits basic arithmetic operations. See the new Safe Math Eval in Custom Tools guide for the secure implementation pattern.
Recent Security Hardening (PR #1870)
PR #1870 adds filesystem-boundary enforcement to the local sandbox backends.What changed
DockerSandbox.write_file / read_file / list_filesandSubprocessSandbox.write_file / read_file / list_filesnow reject any path that resolves outside the sandbox’stemp_dir.- Rejected operations return
False(write),None(read), or[](list) and logPath traversal attempt blocked: <path>. - Helper:
praisonai.sandbox._compat.safe_sandbox_path().
Who is affected
Anyone usingsandbox=True, sandbox=SandboxConfig.docker(...),
or sandbox=SandboxConfig.subprocess(...) and exposing
execute_python_code / execute_shell_command tools to an LLM.
Action required
None — the protection is on by default. If an agent had previously relied on writing to host paths via../, it will now fail and should
be reconfigured to write inside the sandbox root.
How It Works
Every input passes through injection defense before the Agent acts, and every tool call is recorded in the audit log.Best Practices
Webhook Verification
Bot adapters that accept inbound webhooks verify HMAC signatures fail-closed by default — missing secrets or invalid signatures return HTTP 401. SetPRAISONAI_INSECURE_WEBHOOKS=true only for local development. See Webhook Verification.
- API Key Management
- Sandboxed Execution
- Input Validation
Never hardcode API keys in your source code. Use environment variables instead.
How to Secure Your Agents
Secure Agent Configuration
1
Enable Security Modules
Always enable security features before creating agents:
2
Set Workspace Boundaries
Define clear workspace boundaries to prevent path traversal:
3
Use ExecutionConfig for Code
When agents need to execute code, always use safe mode:When using Code Mode Tool Bridge,
require_approval is honoured on every tool call from within the script — a single approval does not silently unlock later calls. The feature is opt-in via code_tools=True and requires an explicit code_tools_allow list:4
Configure Rate Limiting
Prevent abuse with rate limiting:
5
Add Verification Hooks
For autonomous agents, add verification hooks:
Security Checklist
Pre-Deployment Checklist
Pre-Deployment Checklist
- Security modules enabled (
enable_security()) - Workspace boundaries set
- API keys in environment variables (not hardcoded)
- Code execution in “safe” mode (if enabled)
- Rate limiting configured
- Protected paths reviewed
- Input validation enabled
Runtime Security Checklist
Runtime Security Checklist
- Audit logging active
- Injection defense scanning all inputs
- Path traversal protection enabled
- Tool execution timeout set
- Memory limits configured
- Error handling doesn’t leak sensitive info
Production Hardening
Production Hardening
- Network egress restricted
- Container sandboxing enabled
- Secrets management (Vault/AWS Secrets/etc.)
- Log aggregation configured
- Monitoring and alerting active
- Regular dependency updates
- Security scanning in CI/CD
FileMemory user_id sanitisation
FileMemory(user_id=...) strips whitespace, rejects path-traversal characters, and uses the sanitised value for both the in-memory user_id and the on-disk user_path. Empty or whitespace-only inputs fall back to "default". Fix landed in PR #1980 — earlier releases used the raw input for the path, so user_id=" alice " could write to a different directory than mem.user_id reported.
Secure Implementation Guide
Pattern 1: Secure Multi-Agent Workflow
This pattern shows how to configure multiple agents securely with proper isolation and monitoring.
Pattern 2: Secure Bot Deployment
Pattern 3: Secure Autonomous Agent
Pattern 4: Secure MCP Server Integration
Security Hardening by Environment
- Development
- Staging
- Production
Enable All Logging
Set LOGLEVEL=debug for security event visibility
Use Test API Keys
Separate keys with limited quotas for dev
CVE Policy
PraisonAI follows responsible disclosure practices with a structured workflow:Security Features
Path Traversal Protection
Prevents agents from accessing files outside the designated workspace
Injection Defense
Scans for prompt injection attempts before processing
Protected Paths
Blocks modification of sensitive system files and directories
Audit Logging
Thread-safe JSONL audit log for tool calls
Optional Security Modules
Secrets in Deployment
PraisonAI never passes secrets via command line arguments, which prevents exposure in process lists, shell history, and CI logs.Secure Cloud Deployment
When deploying to cloud platforms, PraisonAI automatically handles secrets securely:- Creates temp YAML via
tempfile.mkstemp()with mode0600(owner read/write only) - Writes secrets to temp file instead of command line
- Passes via
--env-vars-filetogcloudcommand - Removes temp file in
finallyblock, even if deployment fails
Secret handling for gateway credentials
Gateway channel credentials —token, app_token, and verify_token — support a first-class { source, id } reference so tokens never live in YAML or a process-wide env var.
- Zero secrets in YAML, zero in the process env.
{ source: file, id: /run/secrets/token }reads a mounted Docker / Kubernetes secret;{ source: exec, id: "vault read ..." }runs a secret-manager CLI. Neither is inherited by child processes. - Automatic log redaction. Every resolved secret is registered so it is scrubbed from logs and tracebacks — tokens never leak into errors.
- Availability probe never prints values.
praisonai gateway doctorreports each field asavailable/configured-but-unavailable/configured/missingwithout revealing the value, so operators can validate wiring before start-up.
Secret References
Load gateway credentials from files, env vars, or secret managers — never plaintext
Gateway Edge Protections (PR #2623)
Internet-exposedpraisonai serve gateway deployments now have two default-on guards that require no configuration:
PreauthConnectionBudget— caps concurrent unauthenticated WebSocket connections per source IP (preauth_max_connections_per_ip=32). Connections that exceed the cap are closed before auth runs with WebSocket close code4029. Loopback is always exempt.UnauthorizedFloodGuard— closes a connection that sends too many unauthorized frames on a single session (max_unauthorized_frames=10), using close code4028. Distinct from the existing4008handshake rate-limit code so clients can handle each case correctly.AuthRateLimiteroverflow fail-closed — when the per-IP key map is saturated, new IPs are rejected rather than admitted (which would evict existing lockouts). Existing lockouts are preserved even under a fresh-IP flood.
Gateway Edge Protections
Full operator guide: defaults, YAML/Python tuning, close code reference, and when to change limits
Recent Security Hardening (PR #2850)
PR #2850 (fixes #2843) upgrades.gateway_secret handling in praisonai_bot.gateway.pairing from warn-only to remediate-or-fail-closed. The file signs pairing codes, so world-readable permissions previously allowed forged codes; the old behaviour surfaced the risk but loaded the file anyway.
Permissions are now re-checked and remediated on every PairingStore(...) construction, not only at creation:
- POSIX: an existing file with any mode other than
0o600ischmod-ed to0o600on load. A failingchmodraisesOSErrorinstead of falling back to secret regeneration — preserving the HMAC signing key so outstanding pairing codes stay valid. - Windows: best-effort ACL lockdown via
icacls /inheritance:r /grant:r "<user>":F, withicaclsresolved from%SystemRoot%\System32rather thanPATHto avoid a hijacked binary. This path is best-effort and never raises. - The prior per-init
WARNING("Gateway secret file … has insecure permissions …") is removed; POSIX success logs atINFO, and Windows logs atDEBUGonly.
Recent Security Hardening
Recent security improvements include: Gateway Auth Token Unification (PR #1744):- Config token now exports to
GATEWAY_AUTH_TOKENenv var at startup - Ensures all auth paths (HTTP, magic-link, WebSocket) use the same secret
- Config wins over environment variable to prevent stale token issues
- SSH: Fixed temp file cleanup in
finallyblock and remote process timeout handling - Docker: Container naming and proper kill on timeout to enforce resource limits
- Prevents resource leaks that could lead to DoS conditions
- Uses secure temp YAML file with
chmod 0600instead of argv secrets - Prevents secret exposure in
ps, shell history, and CI logs - Automatic cleanup even on deployment failures
Concurrency & Async Safety
PraisonAI includes several security hardening measures for concurrent and asynchronous execution:Chat-History Integrity
Chat history mutations are now lock-protected to prevent lost updates and corrupt rollback in multi-agent and async scenarios:Fail-Closed Approvals
Console-backend approvals now raisePermissionError in async contexts instead of silently bypassing security checks:
Visible Failures
Previously silent failures now log at WARN level with stack traces for improved security visibility:- Streaming callback errors (
praisonaiagents.streaming.events) - Session-gateway linkage failures (
praisonaiagents.agent.execution_mixin) - Learning-nudge generation failures (
praisonaiagents.agent.tool_execution)
Resources
GitHub Repository
Source code, issue tracking, and contribution guidelines
Documentation
Comprehensive guides, API reference, and tutorials
Website
Product overview, features, and enterprise solutions
Security Advisories
View and report security issues
Acknowledgments
We thank the security researchers who have responsibly disclosed vulnerabilities. Credits are listed in individual security advisories on GitHub.Thank you to all security researchers who help make PraisonAI safer for everyone.
Related
Protected Paths
Block modification of sensitive files and directories.
Audit Logging
Thread-safe JSONL audit log for tool calls.

