Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-44334

CVE-2026-44334: Praison Praisonai RCE Vulnerability

CVE-2026-44334 is a remote code execution flaw in Praison Praisonai that allows unauthenticated attackers to execute arbitrary code via unguarded tool imports. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-44334 Overview

CVE-2026-44334 is a code injection vulnerability [CWE-94] in PraisonAI, a multi-agent teams system. The flaw affects versions 4.5.139 through 4.6.31. An earlier fix for CVE-2026-40287 gated tools.py auto-import behind the PRAISONAI_ALLOW_LOCAL_TOOLS=true environment variable in tool_resolver.py and api/call.py. A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. The recipe runner reaches this sink on every recipe execution. Attackers can trigger it remotely via POST /v1/recipes/run by pointing the recipe value at any local absolute path or GitHub repository, because SecurityConfig.allow_any_github defaults to True.

Critical Impact

Unauthenticated attackers can achieve arbitrary code execution by dropping a malicious tools.py next to TEMPLATE.yaml, which the server then loads via exec_module().

Affected Products

  • PraisonAI versions 4.5.139 through 4.6.31
  • Deployments exposing the /v1/recipes/run API endpoint
  • Instances relying on default SecurityConfig.allow_any_github=True

Discovery Timeline

  • 2026-05-08 - CVE-2026-44334 published to NVD
  • 2026-05-08 - Last updated in NVD database

Technical Details for CVE-2026-44334

Vulnerability Analysis

The vulnerability stems from an incomplete remediation of CVE-2026-40287. The original fix introduced an environment variable gate, PRAISONAI_ALLOW_LOCAL_TOOLS, to restrict automatic loading of tools.py files alongside recipe templates. The fix applied this gate to tool_resolver.py and api/call.py. However, praisonai/templates/tool_override.py contains a third import sink that was overlooked. This sink imports user-supplied Python modules without checking the opt-in flag.

The recipe runner invokes this code path on every recipe execution. The POST /v1/recipes/run endpoint accepts a recipe parameter referencing either a local absolute path or a GitHub repository URL. The server fetches the referenced repository or reads the local directory, then loads any adjacent tools.py file using Python's exec_module(). No authentication is required by default. No environment opt-in is required to reach the vulnerable code path.

Root Cause

The root cause is an incomplete security control. The patch for CVE-2026-40287 missed an additional import location in the template override module. The CWE-94 classification reflects improper control of code generation, where untrusted Python source is executed as part of normal application flow.

Attack Vector

An attacker hosts a public GitHub repository containing a TEMPLATE.yaml file and a malicious tools.py file. The attacker sends a POST request to /v1/recipes/run with the recipe field set to the repository URL. The PraisonAI server clones the repository and executes the recipe. During execution, tool_override.py imports tools.py, invoking exec_module() on attacker-controlled Python code. The attacker gains code execution in the context of the PraisonAI process.

// Exploitation flow (described in prose - no verified PoC code available)
// 1. Attacker creates GitHub repo with TEMPLATE.yaml + malicious tools.py
// 2. POST /v1/recipes/run { "recipe": "https://github.com/attacker/repo" }
// 3. Server fetches repo, recipe runner invokes tool_override.py
// 4. Unguarded import sink calls exec_module() on tools.py
// 5. Arbitrary Python executes in server context

Detection Methods for CVE-2026-44334

Indicators of Compromise

  • Unexpected outbound connections from PraisonAI hosts to GitHub repositories not authorized by the organization
  • Presence of unfamiliar tools.py files in recipe template directories
  • Process spawns from the PraisonAI service account that deviate from baseline behavior
  • Access log entries for POST /v1/recipes/run referencing external or untrusted recipe sources

Detection Strategies

  • Inspect web server and reverse proxy logs for POST /v1/recipes/run requests with recipe values containing absolute filesystem paths or arbitrary GitHub URLs
  • Monitor for child processes spawned by the PraisonAI runtime that perform network connections, shell execution, or filesystem modification outside expected recipe behavior
  • Audit recipe template directories for newly written tools.py files and compare hashes against known-good templates

Monitoring Recommendations

  • Enable application-level logging that captures the full recipe argument for every /v1/recipes/run invocation
  • Forward PraisonAI host telemetry to a centralized data lake for correlation between HTTP requests and subsequent process activity
  • Alert on any invocation of importlib or exec_module paths originating from tool_override.py if instrumentation is available

How to Mitigate CVE-2026-44334

Immediate Actions Required

  • Upgrade PraisonAI to version 4.6.32 or later, which closes the unguarded import sink in tool_override.py
  • Restrict network access to the /v1/recipes/run endpoint until the upgrade is complete
  • Set SecurityConfig.allow_any_github to False to prevent loading recipes from arbitrary GitHub repositories
  • Enforce authentication on the PraisonAI API surface; the default configuration requires no authentication

Patch Information

The maintainers patched this issue in PraisonAI version 4.6.32. The fix extends the PRAISONAI_ALLOW_LOCAL_TOOLS gate to the third import sink in praisonai/templates/tool_override.py. See the GitHub Security Advisory GHSA-xcmw-grxf-wjhj for full details.

Workarounds

  • Place PraisonAI behind a reverse proxy that requires authentication and blocks external access to /v1/recipes/run
  • Restrict recipe sources to a maintained allowlist of internal Git repositories by overriding SecurityConfig.allow_any_github
  • Run the PraisonAI service under a low-privilege account with no write access to sensitive paths and no outbound network egress beyond required dependencies
bash
# Configuration example - upgrade and restrict recipe sources
pip install --upgrade 'praisonai>=4.6.32'

# Disable arbitrary GitHub recipe loading in SecurityConfig
export PRAISONAI_ALLOW_ANY_GITHUB=false
export PRAISONAI_ALLOW_LOCAL_TOOLS=false

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.