CVE-2026-60086 in PraisonAIinfo

Summary

by MITRE • 07/10/2026

PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft single or double-vector prompt injections that are classified as HIGH threat level and pass through unblocked to reach the model.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in PraisonAI versions prior to 4.6.78 represents a critical flaw in prompt injection detection mechanisms that directly undermines the security posture of the application. This issue stems from an overly permissive threat classification system where only prompt injections meeting CRITICAL severity thresholds are blocked, requiring simultaneous detection by three or more detector families. The technical implementation fails to account for the fact that sophisticated attackers can craft prompt injections using single or double vector approaches that, while individually classified as HIGH threat level, bypass the defensive mechanisms entirely. This design flaw creates a fundamental gap in the security architecture where threat vectors that pose significant risk to system integrity and data confidentiality can successfully infiltrate the model processing pipeline.

The operational impact of this vulnerability extends beyond simple bypass scenarios and represents a substantial risk to the overall security framework of applications relying on PraisonAI for prompt processing. Attackers exploiting this weakness can manipulate model outputs through carefully constructed injection vectors that remain undetected by the current defense system, potentially leading to unauthorized access, data leakage, or manipulation of AI-generated responses. The vulnerability specifically targets the core defensive capabilities of the system, where threat classification and blocking mechanisms fail to adequately protect against even moderately severe prompt injection attempts. This creates an environment where attackers can systematically work around security controls using techniques that would normally be detected and prevented by more robust defense mechanisms.

From a security standards perspective, this vulnerability aligns with CWE-470 and CWE-94, representing weaknesses in the generation and handling of potentially dangerous inputs. The bypass mechanism operates as a direct violation of secure coding practices outlined in NIST SP 800-160 and ISO/IEC 27001 security controls. The specific implementation flaw demonstrates inadequate risk assessment and threat modeling, where the security team failed to consider the possibility that attackers could craft injection vectors that would not meet the stringent three-family detection threshold. This vulnerability also maps to ATT&CK technique T1584 which describes adversary tactics for bypassing defensive measures through manipulation of system controls.

Mitigation strategies should focus on strengthening the threat classification and blocking mechanisms within PraisonAI to ensure all prompt injections exceeding HIGH threat levels are properly detected and blocked regardless of the number of detector families involved. Organizations should implement enhanced logging and monitoring capabilities to detect anomalous prompt injection patterns that may indicate attempted exploitation of this vulnerability. The recommended approach involves upgrading to version 4.6.78 or later, which addresses the core issue by modifying the threat detection thresholds to include HIGH severity vectors in the blocking mechanism. Additionally, security teams should consider implementing layered defense strategies including regular security assessments and penetration testing to identify similar vulnerabilities in related systems that may be susceptible to analogous bypass techniques.

The vulnerability demonstrates a classic example of inadequate security architecture where defensive controls fail due to overly restrictive blocking criteria rather than comprehensive threat detection capabilities. This design choice creates an attack surface that can be systematically exploited by threat actors with sufficient knowledge of the system's detection thresholds and classification mechanisms. Organizations implementing AI-based systems must ensure that their prompt injection defenses are robust enough to handle various threat levels without creating exploitable gaps in protection, particularly when the security controls themselves rely on multi-factor detection criteria that can be circumvented through strategic attack vector construction.

Responsible

VulnCheck

Reservation

07/08/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!