Description
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32.
Published: 2026-05-08
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI contains a vulnerability that allows unauthenticated remote code execution. An unguarded import sink in praisonai/templates/tool_override.py is reached by the recipe runner on every recipe execution, and an attacker can drop a crafted tools.py next to a recipe's TEMPLATE.yaml. When the server exec_module()s the file via a POST request to /v1/recipes/run the attacker’s code runs with the server’s privileges. No authentication is required and the flaw can be triggered using either a local absolute path or an unrestricted GitHub repository path.

Affected Systems

Affected are installations of MervinPraison’s PraisonAI from version 4.5.139 up to, but not including, 4.6.32.

Risk and Exploitability

The CVSS score of 8.4 indicates a severe impact. The EPSS value is not available and the vulnerability is not listed in CISA KEV, so there is no indication of known exploits yet. However, the lack of authentication and the ability to execute arbitrary code via a simple HTTP call make exploitation highly feasible. Until the patch to 4.6.32 is applied, the risk remains high for any exposed PraisonAI instance.

Generated by OpenCVE AI on May 8, 2026 at 18:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.6.32 or later.
  • Restrict the /v1/recipes/run endpoint to authenticated users or disable it if not required.
  • Set SecurityConfig.allow_any_github to false to prevent arbitrary GitHub repository execution, and limit recipe paths to trusted directories.

Generated by OpenCVE AI on May 8, 2026 at 18:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-xcmw-grxf-wjhj PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
History

Sat, 09 May 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32.
Title PraisonAI: Unauthenticated RCE via `tool_override.py`
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T23:20:28.539Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44334

cve-icon Vulnrichment

Updated: 2026-05-08T23:20:21.333Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:46.143

Modified: 2026-05-08T19:09:37.400

Link: CVE-2026-44334

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:00:14Z

Weaknesses