CVE-2026-44339
Permission Bypass in PraisonAI via Tool Call Injection
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.6.37 (exc) |
| praison | praisonaiagents | to 1.6.37 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-470 | The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44339 is a vulnerability in the PraisonAI and praisonaiagents packages where the system resolves tool names by checking declared tools, a registry, and then falls back to global and __main__ module callables if the tool name is not found. Because the default permission setting (_perm_allow) is None, undeclared tool names that are not dangerous are not blocked by the permission gate.
This means an attacker who can influence the names of tools being called can cause the system to execute unintended application functions that were never declared as tools, potentially bypassing security controls.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute unintended application callables with the privileges of the application. This can lead to unauthorized changes in the application's state, exposure of sensitive data, or execution of arbitrary commands.
Because the attack complexity is low and no privileges or user interaction are required, the impact on confidentiality, integrity, and availability can be significant.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running vulnerable versions of PraisonAI (<= 4.6.36) or praisonaiagents (<= 1.6.36). Additionally, monitoring for unexpected or unauthorized execution of application callables that were never declared as tools can indicate exploitation attempts.
Since the vulnerability arises from the `ToolExecutionMixin.execute_tool` function resolving undeclared tool names against globals and the __main__ module, you can look for unusual tool-call names being executed or audit logs for calls to unexpected functions.
Specific commands are not provided in the resources, but general approaches include:
- Check the installed versions of PraisonAI and praisonaiagents packages to confirm if they are vulnerable.
- Review application logs for tool-call executions that do not match declared tools or the registry.
- Use monitoring tools or scripts to detect calls to global or __main__ module functions that should not be accessible.
What immediate steps should I take to mitigate this vulnerability?
The immediate and recommended mitigation is to upgrade PraisonAI to version 4.6.37 or later and praisonaiagents to version 1.6.37 or later, where the vulnerability has been patched.
Until the upgrade can be performed, consider configuring the agent permissions to enforce an allowlist by setting `_perm_allow` to a non-None value, which will reject undeclared tool names and prevent unauthorized execution of application callables.
Additionally, restrict access to the system to trusted users only and monitor for suspicious activity related to tool-call executions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to execute unintended application callables with the application's privileges, potentially leading to unauthorized state changes, data exposure, or command execution.
Such unauthorized data exposure and integrity violations could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.