Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.
AnalysisAI
Remote attackers can invoke arbitrary application callables in PraisonAI multi-agent systems by manipulating tool-call names to bypass tool declaration controls. Vulnerable versions (praisonai <4.6.37, praisonaiagents <1.6.37) resolve unmatched tool names against module globals and __main__ namespaces without permission validation when _perm_allow is None (default configuration). This enables unauthorized function execution beyond the intended tool list, allowing integrity compromise and potential information disclosure. Patched versions 4.6.37 and 1.6.37 address the tool name resolution vulnerability.
Technical ContextAI
PraisonAI is a multi-agent AI orchestration framework that manages tool execution through declared tool registries. The vulnerability stems from CWE-470 (Use of Externally-Controlled Input to Select Classes or Code), where the tool resolution mechanism falls back to Python's module globals() and __main__ namespace after exhausting the declared tool list and registry. With the default _perm_allow=None configuration, the permission gate does not reject tool names that don't match dangerous patterns, creating a type confusion vulnerability. An attacker who controls tool-call names (potentially through prompt injection or API parameter manipulation) can reference any callable object in the application's global namespace, effectively bypassing the intended tool sandboxing and executing arbitrary Python functions that were never intended as agent tools.
RemediationAI
Upgrade immediately to patched versions: praisonai 4.6.37 or later and praisonaiagents 1.6.37 or later, both released to address this vulnerability per GitHub Security Advisory GHSA-gmjg-hv98-qggq (https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq). If immediate patching is not feasible, implement strict input validation on all tool-call name parameters, configure explicit _perm_allow whitelists to reject undeclared tool names, and review application code to ensure sensitive callables are not exposed in module globals or __main__ namespaces. Compensating controls: implement monitoring for unexpected function calls outside declared tool lists, restrict agent access to network resources to limit lateral movement if exploitation occurs, and validate all tool invocations against an explicit allowlist before execution (note this adds significant operational overhead and may break legitimate tool discovery features).
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28642
GHSA-gmjg-hv98-qggq