TL;DR — PraisonAI's create_agent_centric_tools() function generates file-handling tools that process user input through Jinja2 templates without escaping. Ask an agent to create a file with {{ os.system("id") }} in the content and it executes on the host. CVSS 8.8.

background

PraisonAI is a Python framework for building multi-agent AI systems. You define agents with roles, goals, and tools, then orchestrate them to complete complex tasks. The framework has built-in capabilities for file operations, web searches, code execution, and more. Agents collaborate by passing results between each other, forming pipelines that process data through multiple stages.

One of the core features is file handling — agents can create, read, and modify files as part of their workflow. Under the hood, these file operations use Jinja2 to render templates. Jinja2 is Python's most popular template engine, used by Flask, Ansible, and thousands of other projects. It evaluates expressions inside {{ }} delimiters and executes statements inside {% %} blocks.

This is fine when the template content comes from trusted sources. It's not fine when it comes from user prompts.

the vulnerability

The create_agent_centric_tools() function creates tools that accept user input and pass it through Jinja2's template rendering engine. The critical path looks like this:

  1. A user (or another agent) calls agent.start() with a task description
  2. The agent determines it needs to write a file
  3. The file content — derived from the user's input — reaches Jinja2's render() method
  4. Jinja2 evaluates any template expressions in the content before writing

No sanitization happens between steps 2 and 4. The user's input reaches the template engine verbatim.

You can verify this with a trivial probe. Tell the agent to create a file containing {{7*7}}. If the resulting file contains 49 instead of the literal string {{7*7}}, the template engine is evaluating expressions from user input. That's server-side template injection (SSTI).

from SSTI to RCE

Once you've confirmed template evaluation, escalating to code execution is a standard Jinja2 SSTI technique. Jinja2's sandbox doesn't apply here because the templates aren't sandboxed — they have full access to Python's object hierarchy:

agent.start('Create a file with this content: '
    '{{ self.__init__.__globals__.__builtins__'
    '.__import__("os").system("id") }}')

This traverses Python's internal object graph from the template context to __builtins__, imports the os module, and calls system(). The command runs with the privileges of the PraisonAI process.

A more practical payload for exfiltration:

agent.start('Write a report containing: '
    '{{ self.__init__.__globals__.__builtins__'
    '.__import__("os").popen("cat /etc/passwd")'
    '.read() }}')

The file the agent creates will contain the contents of /etc/passwd instead of a report. The agent has no idea it just exfiltrated system files — from its perspective, it successfully completed the task.

why this is worse in an AI context

Traditional SSTI requires an attacker to directly control input to a template. In an AI agent framework, the attack surface is broader:

Direct injection: A user interacts with an agent and includes template syntax in their prompt. This is the obvious case.

Indirect injection via data: An agent processes external data — emails, scraped web pages, API responses, uploaded documents — that contains template syntax. The malicious content wasn't in the original prompt; it was in the data the agent retrieved as part of its task.

Cross-agent propagation: In a multi-agent pipeline, Agent A processes untrusted input and produces output that Agent B uses to write a file. The injection payload travels through the pipeline, invisible to each agent, until it reaches the file-writing tool where Jinja2 evaluates it.

The agent framework creates a laundering effect: the payload enters as "data" and exits as "code," with multiple AI reasoning steps in between that obscure the attack path. Traditional WAF or input validation at the prompt layer wouldn't catch an injection that originates from a database query result three agents upstream.

three contributing factors

The vulnerability isn't just the missing escaping. Three design decisions compound the risk:

  1. No input sanitization — user-controlled content reaches Jinja2 verbatim, with no escaping or stripping of template syntax
  2. Auto-approval mode — PraisonAI supports an auto-approval mode where file operations execute without human confirmation. In production deployments optimizing for throughput, this is often enabled
  3. No template sandboxing — Jinja2 offers a SandboxedEnvironment that restricts attribute access and prevents the __globals__ traversal. PraisonAI uses the unrestricted environment

Any one of these would reduce the impact. All three together make it trivially exploitable.

the fix

Version 4.5.115 addresses the immediate vulnerability by escaping template syntax in user-provided content before it reaches Jinja2. The recommended defense-in-depth mitigations:

  • Enable Jinja2 auto-escape globallyEnvironment(autoescape=True) escapes HTML entities by default, which also neutralizes template syntax
  • Use SandboxedEnvironment — even if escaping is bypassed, the sandbox prevents access to dangerous attributes like __globals__ and __builtins__
  • Validate file content against a strict allowlist of permitted patterns, rejecting anything containing {{, {%, or {#
  • Require manual approval for file operations in production, so a human reviews what the agent is about to write

the bigger picture

AI agent frameworks are inheriting every vulnerability class from traditional web applications — XSS, SSTI, command injection, SSRF — plus new ones unique to the agent paradigm. The OWASP Top 10 for LLM Applications lists prompt injection as the #1 risk, but the supporting infrastructure around the LLM is just as vulnerable.

PraisonAI's template injection isn't a novel vulnerability class. SSTI has been in security curricula for years. What's new is the context: the "user input" might be a prompt, a tool result, a database record, or the output of a previous agent in a pipeline. The blast radius expands because the agent doesn't distinguish between data and instructions. It processes both through the same tools.

The agent doesn't know it's executing a payload. It's just following instructions. That's the whole point — and the whole problem.

CVE-2026-39891. Fixed in PraisonAI 4.5.115.