What happened
PraisonAI's UI modules hardcode approval_mode=auto, bypassing administrator configuration from PRAISON_APPROVAL_MODE environment variable. This allows authenticated attackers to instruct the agent to execute arbitrary shell commands without approval prompts.
Why it matters
Agentic AI systems with shell execution capability can modify code, exfiltrate data, or compromise the host system. Approval mode is a critical safeguard. Hardcoding auto approval removes human-in-the-loop controls and enables lateral movement.
Attack vector
UI modules in PraisonAI hardcode approval_mode to 'auto', overriding the PRAISON_APPROVAL_MODE environment variable set by administrators. An authenticated attacker can instruct the LLM agent to execute arbitrary shell commands, which are automatically approved without human review.
Affected systems
PraisonAI < 4.5.128
Mitigation
Upgrade to PraisonAI 4.5.128 or later. Enforce approval_mode via environment variable and remove hardcoded auto approvals.