Description
PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.
Published: 2026-05-08
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI allows an attacker who can influence agent tool‑call names to execute undeclared callables within the application. The flaw originates from the ToolExecutionMixin resolving unknown tool names against module globals and the __main__ namespace when the declared list and registry do not contain the requested name. Because the default permission gate variable _perm_allow is None, these non‑dangerous tool names bypass authorization checks, permitting execution of code that was never intended to be exposed as a tool. The attacker can run arbitrary functions defined in the application.

Affected Systems

Affected systems include PraisonAI multi‑agent teams delivered by MervinPraison. The vulnerability affects all releases prior to PraisonAI 4.6.37 and PraisonAIAgents 1.6.37; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity. EPSS data is not available, so precise exploitation probability cannot be quantified, and the issue is not listed in CISA’s KEV catalog. The likely attack vector is through crafted agent messages or inputs that specify tool names not present in the declared tool list, thereby reaching the underlying resolution logic. Once triggered, the agent can execute arbitrary callables in the same process with the privileges of the agent, effectively enabling uncontrolled code execution.

Generated by OpenCVE AI on May 8, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PraisonAI 4.6.37 or newer and PraisonAIAgents 1.6.37 or newer. This patch removes the unsafe resolution path.
  • Configure the agent’s permission gate by setting _perm_allow to a restrictive value or disabling it; this ensures that only declared tools are executable, preventing accidental call of undeclared functions.
  • Audit the agent configuration and the list of available tools to confirm that no unintended callables are exposed, and remove or rename any that might be invoked through the tool resolution process.

Generated by OpenCVE AI on May 8, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*
Vendors & Products Praison
Praison praisonai
Praison praisonaiagents

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.
Title PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Weaknesses CWE-470
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T21:27:22.924Z

Reserved: 2026-05-05T19:52:59.147Z

Link: CVE-2026-44339

cve-icon Vulnrichment

Updated: 2026-05-08T17:04:12.417Z

cve-icon NVD

Status : Modified

Published: 2026-05-08T14:16:46.887

Modified: 2026-05-08T22:16:33.653

Link: CVE-2026-44339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:00:14Z

Weaknesses