CVE-2026-34939 Overview
A Regular Expression Denial of Service (ReDoS) vulnerability has been identified in PraisonAI, a multi-agent teams system. Prior to version 4.5.90, the MCPToolIndex.search_tools() function compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.
Critical Impact
This vulnerability allows unauthenticated remote attackers to cause complete service denial by submitting malicious regex patterns that trigger catastrophic backtracking, rendering the PraisonAI service unresponsive for extended periods.
Affected Products
- PraisonAI versions prior to 4.5.90
Discovery Timeline
- 2026-04-03 - CVE-2026-34939 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34939
Vulnerability Analysis
This vulnerability is classified as CWE-1333: Inefficient Regular Expression Complexity. The core issue lies in the MCPToolIndex.search_tools() function, which accepts user-supplied input and directly compiles it as a Python regular expression without any form of input validation, sanitization, or execution timeout mechanisms.
When a maliciously crafted regular expression pattern is submitted, the Python re engine enters a state of catastrophic backtracking. This occurs when the regex pattern contains ambiguous quantifiers or nested patterns that cause the matching algorithm to explore an exponential number of possible match paths. The result is the Python thread becoming blocked for hundreds of seconds while attempting to evaluate the pattern.
The vulnerability is network-accessible with low attack complexity and requires no authentication or user interaction, making it particularly dangerous for internet-facing deployments of PraisonAI. While the vulnerability does not impact confidentiality or integrity, it poses a significant availability risk by enabling complete service denial.
Root Cause
The root cause stems from the direct compilation of untrusted user input into Python regular expression patterns without implementing standard defensive measures. The MCPToolIndex.search_tools() function lacks:
- Input Validation - No checks for dangerous regex patterns or constructs
- Input Sanitization - No escaping or transformation of special regex characters
- Execution Timeout - No time limit on regex evaluation operations
- Pattern Complexity Limits - No restrictions on pattern length or nesting depth
Attack Vector
The attack is executed over the network against exposed PraisonAI instances. An attacker can craft a malicious regular expression containing nested quantifiers or overlapping alternations that cause exponential backtracking. Common patterns that trigger this behavior include nested repetitions like (a+)+, overlapping patterns like (a|a)+, or combinations with ambiguous boundaries.
When submitted to the search_tools() endpoint, the malicious pattern causes the underlying Python thread to become computationally locked while the regex engine attempts to resolve all possible match permutations. This effectively blocks the service from processing legitimate requests, resulting in a denial of service condition that persists until the regex evaluation completes or the process is terminated.
Detection Methods for CVE-2026-34939
Indicators of Compromise
- Unusually long-running Python processes associated with PraisonAI
- Service unresponsiveness or timeout errors from PraisonAI endpoints
- High CPU utilization on PraisonAI host systems without corresponding legitimate workload
- Repeated search requests containing complex regex-like patterns with nested quantifiers
Detection Strategies
- Monitor application logs for requests to search_tools() containing suspicious patterns with nested quantifiers (e.g., +)+, *)*, {n,}){n,})
- Implement request logging and analysis to identify anomalous search query patterns
- Deploy web application firewall rules to detect and block regex injection attempts
- Set up alerting for thread blocking or unresponsive service conditions
Monitoring Recommendations
- Track request duration metrics for the search_tools() function to identify anomalous processing times
- Configure CPU utilization alerts on systems running PraisonAI
- Implement service health checks with appropriate timeout thresholds to detect unresponsive states
- Review access logs for repeated requests from single sources targeting search functionality
How to Mitigate CVE-2026-34939
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.90 or later immediately
- If immediate upgrade is not possible, consider temporarily disabling or restricting access to the search_tools() functionality
- Implement network-level rate limiting to reduce the impact of potential exploitation attempts
- Restrict access to PraisonAI services to trusted networks or authenticated users
Patch Information
The vulnerability has been patched in PraisonAI version 4.5.90. Organizations should update to this version or later to remediate the vulnerability. For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-8w9j-hc3g-3g7f.
Workarounds
- Implement a reverse proxy or WAF rule to filter out requests containing complex regex patterns before they reach the PraisonAI service
- Apply request timeouts at the application or infrastructure level to limit the duration of any single request
- Use network segmentation to limit exposure of PraisonAI services to untrusted networks
- Deploy rate limiting on endpoints that invoke search_tools() to reduce the attack surface
# Example: Configure nginx rate limiting for PraisonAI endpoints
limit_req_zone $binary_remote_addr zone=praisonai_limit:10m rate=10r/s;
location /api/search {
limit_req zone=praisonai_limit burst=20 nodelay;
proxy_read_timeout 30s;
proxy_pass http://praisonai_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
