Skip to main content

PraisonAI EUVDEUVD-2026-28642

| CVE-2026-44339 HIGH
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') (CWE-470)
2026-05-08 security-advisories@github.com GHSA-gmjg-hv98-qggq
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
Patch available
May 08, 2026 - 15:17 EUVD
Analysis Generated
May 08, 2026 - 15:01 vuln.today
CVE Published
May 08, 2026 - 14:16 nvd
HIGH 8.6

DescriptionGitHub Advisory

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.

AnalysisAI

Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.

Technical ContextAI

PraisonAI is a multi-agent AI orchestration framework that manages tool execution through declared tool registries. The vulnerability stems from CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), where the tool resolution mechanism falls back to Python's module globals() and __main__ namespace after exhausting the declared tool list and registry. With the default _perm_allow=None configuration, the permission gate does not reject tool names that don't match dangerous patterns, creating a type confusion vulnerability. An attacker who controls tool-call names (potentially through prompt injection or API parameter manipulation) can reference any callable object in the application's global namespace, effectively bypassing the intended tool sandboxing and executing arbitrary Python functions that were never intended as agent tools.

RemediationAI

Upgrade immediately to patched versions: praisonai 4.6.37 or later and praisonaiagents 1.6.37 or later, both released to address this vulnerability per GitHub Security Advisory GHSA-gmjg-hv98-qggq (https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq). If immediate patching is not feasible, implement strict input validation on all tool-call name parameters, configure explicit _perm_allow whitelists to reject undeclared tool names, and review application code to ensure sensitive callables are not exposed in module globals or __main__ namespaces. Compensating controls: implement monitoring for unexpected function calls outside declared tool lists, restrict agent access to network resources to limit lateral movement if exploitation occurs, and validate all tool invocations against an explicit allowlist before execution (note this adds significant operational overhead and may break legitimate tool discovery features).

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

EUVD-2026-28642 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy