CVE-2026-44334
Analyzed Analyzed - Analysis Complete
PraisonAI Remote Code Execution via Unprotected Local Tool Import

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44334
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai From 4.5.139 (inc) to 4.6.32 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44334 is a critical vulnerability in PraisonAI versions 4.5.139 to 4.6.31 that allows unauthenticated remote code execution (RCE). It bypasses a previous patch (CVE-2026-40287) because an import sink in the file tool_override.py was missed and remains unprotected. This flaw allows an attacker to execute arbitrary code by sending a specially crafted POST request to /v1/recipes/run with a recipe path pointing to a local absolute path or a GitHub repository containing a malicious tools.py file.

The vulnerability exists because the SecurityConfig.allow_any_github setting defaults to True, and the tool_override.py file does not enforce the environment variable gate (PRAISONAI_ALLOW_LOCAL_TOOLS=true) that was added to other files to prevent unauthorized imports. As a result, the attacker can drop a tools.py file next to TEMPLATE.yaml or host it in a GitHub repo, which the server will execute without requiring authentication or environment opt-in.

This issue is classified under CWE-94 (Code Injection) due to improper control over code generation from externally influenced input.

Impact Analysis

This vulnerability can have severe impacts as it allows an attacker to execute arbitrary code on the server running PraisonAI without any authentication or special environment configuration.

  • Complete compromise of the affected system by executing malicious code remotely.
  • Potential unauthorized access to sensitive data or system resources.
  • Disruption of normal operations due to malicious code execution.
  • Possibility of persistent backdoors or further exploitation within the network.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /v1/recipes/run that include recipe paths pointing to local absolute paths or GitHub repositories. Since exploitation results in execution of a malicious tools.py file, detection can also involve checking for the presence of unexpected or unauthorized tools.py files next to TEMPLATE.yaml or in locations referenced by recipes.

Additionally, the vulnerability has been confirmed to write a marker file to the system's temporary directory upon exploitation, so scanning for unexpected marker files in temporary directories may help identify exploitation attempts.

Suggested commands to detect potential exploitation or presence of malicious files include:

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to filter POST requests to /v1/recipes/run.
  • On the server, search for unexpected tools.py files near TEMPLATE.yaml: `find /path/to/praisonai -name tools.py`.
  • Check for marker files in the system temporary directory, e.g., `ls /tmp` or `find /tmp -name '*marker*'`.
Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 4.6.32 or later, where this vulnerability has been patched.

If upgrading is not immediately possible, consider disabling or restricting the ability to run recipes that reference local absolute paths or arbitrary GitHub repositories, especially since SecurityConfig.allow_any_github defaults to True.

Another mitigation is to set the environment variable PRAISONAI_ALLOW_LOCAL_TOOLS to false or ensure it is not set to true, to prevent auto-import of local tools.py files.

Additionally, monitor and restrict access to the /v1/recipes/run endpoint to trusted users or networks to reduce the risk of remote exploitation.

Compliance Impact

This vulnerability allows unauthenticated remote code execution, which can lead to unauthorized access, data breaches, and manipulation of sensitive information.

Such security weaknesses can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Because the vulnerability enables attackers to execute arbitrary code without authentication, it increases the risk of data exposure or alteration, potentially violating confidentiality, integrity, and availability requirements mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44334. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart