CVE-2026-44334
PraisonAI Remote Code Execution via Unprotected Local Tool Import
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | From 4.5.139 (inc) to 4.6.32 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44334 is a critical vulnerability in PraisonAI versions 4.5.139 to 4.6.31 that allows unauthenticated remote code execution (RCE). It bypasses a previous patch (CVE-2026-40287) because an import sink in the file tool_override.py was missed and remains unprotected. This flaw allows an attacker to execute arbitrary code by sending a specially crafted POST request to /v1/recipes/run with a recipe path pointing to a local absolute path or a GitHub repository containing a malicious tools.py file.
The vulnerability exists because the SecurityConfig.allow_any_github setting defaults to True, and the tool_override.py file does not enforce the environment variable gate (PRAISONAI_ALLOW_LOCAL_TOOLS=true) that was added to other files to prevent unauthorized imports. As a result, the attacker can drop a tools.py file next to TEMPLATE.yaml or host it in a GitHub repo, which the server will execute without requiring authentication or environment opt-in.
This issue is classified under CWE-94 (Code Injection) due to improper control over code generation from externally influenced input.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker to execute arbitrary code on the server running PraisonAI without any authentication or special environment configuration.
- Complete compromise of the affected system by executing malicious code remotely.
- Potential unauthorized access to sensitive data or system resources.
- Disruption of normal operations due to malicious code execution.
- Possibility of persistent backdoors or further exploitation within the network.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious POST requests to the endpoint /v1/recipes/run that include recipe paths pointing to local absolute paths or GitHub repositories. Since exploitation results in execution of a malicious tools.py file, detection can also involve checking for the presence of unexpected or unauthorized tools.py files next to TEMPLATE.yaml or in locations referenced by recipes.
Additionally, the vulnerability has been confirmed to write a marker file to the system's temporary directory upon exploitation, so scanning for unexpected marker files in temporary directories may help identify exploitation attempts.
Suggested commands to detect potential exploitation or presence of malicious files include:
- Use network monitoring tools (e.g., tcpdump, Wireshark) to filter POST requests to /v1/recipes/run.
- On the server, search for unexpected tools.py files near TEMPLATE.yaml: `find /path/to/praisonai -name tools.py`.
- Check for marker files in the system temporary directory, e.g., `ls /tmp` or `find /tmp -name '*marker*'`.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI to version 4.6.32 or later, where this vulnerability has been patched.
If upgrading is not immediately possible, consider disabling or restricting the ability to run recipes that reference local absolute paths or arbitrary GitHub repositories, especially since SecurityConfig.allow_any_github defaults to True.
Another mitigation is to set the environment variable PRAISONAI_ALLOW_LOCAL_TOOLS to false or ensure it is not set to true, to prevent auto-import of local tools.py files.
Additionally, monitor and restrict access to the /v1/recipes/run endpoint to trusted users or networks to reduce the risk of remote exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution, which can lead to unauthorized access, data breaches, and manipulation of sensitive information.
Such security weaknesses can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
Because the vulnerability enables attackers to execute arbitrary code without authentication, it increases the risk of data exposure or alteration, potentially violating confidentiality, integrity, and availability requirements mandated by these regulations.