CVE-2026-61437
Received Received - Intake

Unsafe Dynamic Module Loading in PraisonAI

Vulnerability report for CVE-2026-61437, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-10

Last updated on: 2026-07-10

Assigner: VulnCheck

Description

PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow._resolve_pydantic_class (src/praisonai-agents/praisonaiagents/workflows/workflows.py). When a workflow step uses a string output_pydantic reference, the framework locates and imports a sibling tools.py from the workflow file's directory via importlib exec_module without sandboxing, ignoring the PRAISONAI_ALLOW_*_TOOLS environment variables. An attacker who controls a workflow file and its sibling tools.py can execute arbitrary Python code with the workflow runner's privileges when the workflow is executed via WorkflowManager or after load_yaml.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-10
Last Modified
2026-07-10
Generated
2026-07-10
AI Q&A
2026-07-10
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praisonai praisonaiagents to 1.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-693 The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61437 is a high-severity vulnerability in PraisonAI (pip package praisonaiagents) versions before 1.6.78. It involves unsafe dynamic module loading in the AgentFlow._resolve_pydantic_class function. When a workflow step uses a string output_pydantic reference, the framework automatically locates and imports a sibling tools.py file from the workflow directory using importlib.exec_module without sandboxing or respecting environment variable restrictions.

An attacker who controls both the workflow file and its sibling tools.py file can execute arbitrary Python code with the privileges of the workflow runner when the workflow is executed via WorkflowManager or after load_yaml.

Impact Analysis

Exploitation of this vulnerability allows an attacker to execute arbitrary Python code with the workflow runner's privileges. This can lead to several impacts including reading local files, accessing process secrets, modifying workflow behavior, performing network operations, or executing system commands.

The attack vector is local, requires low complexity, no privileges, and user interaction. Users running workflows from untrusted sources such as repositories, templates, or CI/CD artifacts are at risk.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary Python code with the privileges of the workflow runner by controlling a workflow file and its sibling tools.py file. Successful exploitation can lead to reading local files, accessing process secrets, modifying workflow behavior, performing network operations, or executing system commands.

Such unauthorized access and control over sensitive data and system operations can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Therefore, organizations using affected versions of PraisonAI may face compliance risks if this vulnerability is exploited, as it could result in unauthorized disclosure or alteration of protected data.

Detection Guidance

This vulnerability occurs when a workflow step uses a string output_pydantic reference that causes the framework to import and execute a sibling tools.py file without sandboxing. Detection involves identifying if any workflow files and their sibling tools.py files are controlled by untrusted sources or contain suspicious code.

You can inspect your workflow directories for the presence of tools.py files alongside workflow files and review their contents for unauthorized or suspicious code.

Suggested commands to detect potentially malicious tools.py files or suspicious workflow files include:

  • Find all tools.py files in your workflow directories: `find /path/to/workflows -name tools.py`
  • Check for recent modifications or unexpected changes: `find /path/to/workflows -name tools.py -exec ls -l {} \;` or `git diff` if using version control
  • Search for suspicious imports or code patterns in tools.py files: `grep -r --include=tools.py 'importlib.exec_module' /path/to/workflows` or `grep -r --include=tools.py 'exec' /path/to/workflows`

Monitoring workflow execution logs for unexpected behavior or errors related to module loading may also help detect exploitation attempts.

Mitigation Strategies

The primary mitigation is to upgrade PraisonAI to version 1.6.78 or later, where this unsafe dynamic module loading vulnerability has been fixed.

Until an upgrade is possible, avoid executing workflows from untrusted sources or repositories, especially those that include a sibling tools.py file.

Restrict or sandbox the environment where workflows are executed to limit the privileges of the workflow runner and prevent arbitrary code execution.

Review and audit existing workflow directories for unauthorized or suspicious tools.py files and remove or quarantine them.

Consider implementing additional monitoring and alerting on workflow executions to detect unusual activity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61437. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart