CVE-2026-44339
Modified Modified - Updated After Analysis
Permission Bypass in PraisonAI via Tool Call Injection

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-44339
EUVD
EUVD-2026-28642
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
praison praisonai to 4.6.37 (exc)
praison praisonaiagents to 1.6.37 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-44339 is a vulnerability in the PraisonAI and praisonaiagents packages where the system resolves tool names by checking declared tools, a registry, and then falls back to global and __main__ module callables if the tool name is not found. Because the default permission setting (_perm_allow) is None, undeclared tool names that are not dangerous are not blocked by the permission gate.

This means an attacker who can influence the names of tools being called can cause the system to execute unintended application functions that were never declared as tools, potentially bypassing security controls.

Impact Analysis

This vulnerability can allow an attacker to execute unintended application callables with the privileges of the application. This can lead to unauthorized changes in the application's state, exposure of sensitive data, or execution of arbitrary commands.

Because the attack complexity is low and no privileges or user interaction are required, the impact on confidentiality, integrity, and availability can be significant.

Detection Guidance

Detection of this vulnerability involves identifying if your system is running vulnerable versions of PraisonAI (<= 4.6.36) or praisonaiagents (<= 1.6.36). Additionally, monitoring for unexpected or unauthorized execution of application callables that were never declared as tools can indicate exploitation attempts.

Since the vulnerability arises from the `ToolExecutionMixin.execute_tool` function resolving undeclared tool names against globals and the __main__ module, you can look for unusual tool-call names being executed or audit logs for calls to unexpected functions.

Specific commands are not provided in the resources, but general approaches include:

  • Check the installed versions of PraisonAI and praisonaiagents packages to confirm if they are vulnerable.
  • Review application logs for tool-call executions that do not match declared tools or the registry.
  • Use monitoring tools or scripts to detect calls to global or __main__ module functions that should not be accessible.
Mitigation Strategies

The immediate and recommended mitigation is to upgrade PraisonAI to version 4.6.37 or later and praisonaiagents to version 1.6.37 or later, where the vulnerability has been patched.

Until the upgrade can be performed, consider configuring the agent permissions to enforce an allowlist by setting `_perm_allow` to a non-None value, which will reject undeclared tool names and prevent unauthorized execution of application callables.

Additionally, restrict access to the system to trusted users only and monitor for suspicious activity related to tool-call executions.

Compliance Impact

The vulnerability allows an attacker to execute unintended application callables with the application's privileges, potentially leading to unauthorized state changes, data exposure, or command execution.

Such unauthorized data exposure and integrity violations could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality and integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44339. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart