CVE-2026-44339 Overview
CVE-2026-44339 affects PraisonAI, a multi-agent teams framework, and its companion praisonaiagents Python package. The vulnerability allows an attacker who can influence tool-call names to invoke unintended application callables that were never declared as tools. The root cause is unsafe resolution of unresolved tool names against module globals and __main__ after registry lookups fail. With the default agent configuration, _perm_allow is None, so the permission gate does not reject undeclared non-dangerous tool names. The flaw is tracked under CWE-470: Use of Externally-Controlled Input to Select Classes or Code. Fixed releases are praisonai 4.6.37 and praisonaiagents 1.6.37.
Critical Impact
Network-reachable attackers can coerce a PraisonAI agent into executing arbitrary in-process Python callables outside the declared tool set, undermining the agent's tool sandbox and integrity.
Affected Products
- praisonai versions prior to 4.6.37
- praisonaiagents (Python) versions prior to 1.6.37
- Applications embedding PraisonAI agents with default permission configuration (_perm_allow = None)
Discovery Timeline
- 2026-05-08 - CVE-2026-44339 published to NVD
- 2026-05-08 - Last updated in NVD database
Technical Details for CVE-2026-44339
Vulnerability Analysis
PraisonAI agents accept tool-call names produced by an underlying language model or upstream caller and dispatch them to Python callables. When a requested tool name does not match the declared tool list or the internal registry, praisonaiagents falls back to resolving the name against module globals and the __main__ namespace. This reflective lookup converts attacker-influenced strings into live function references.
The permission gate intended to block disallowed calls relies on _perm_allow. In the default configuration _perm_allow is None, which the gate treats as permissive for non-dangerous names. The result is that any callable reachable through globals or __main__ becomes invokable through a crafted tool-call name, including helpers the developer never exposed as tools.
Impact depends on the host application's symbol table. Functions handling configuration, file I/O, database access, or subprocess management can be reached if they share the agent's process. The advisory classifies the issue with high integrity impact and lower confidentiality and availability impact.
Root Cause
The vulnerability is an unsafe reflection pattern [CWE-470]. The tool dispatcher uses externally-controlled input to select code to execute by walking module globals and __main__ when the declared registry lookup fails, instead of failing closed.
Attack Vector
Exploitation requires the ability to influence a tool-call name reaching the agent dispatcher. This can occur through a network-exposed agent endpoint, a connected language model that emits attacker-controlled tool names, or untrusted content processed by the agent. No authentication or user interaction is required in the default configuration.
No verified public exploit code is available. The vulnerability mechanism is described in the GitHub Security Advisory GHSA-gmjg-hv98-qggq.
Detection Methods for CVE-2026-44339
Indicators of Compromise
- Agent log entries showing tool-call names that do not appear in the declared tool list or registry.
- Process telemetry showing the PraisonAI Python process invoking internal helpers, subprocess launches, or file operations not associated with declared tools.
- Outbound requests or file writes correlated with agent sessions where tool resolution fell back to globals.
Detection Strategies
- Inventory deployments to identify praisonai < 4.6.37 and praisonaiagents < 1.6.37 using software composition analysis or pip list audits.
- Instrument the agent runtime to log every resolved tool name and the resolution source (registry, globals, or __main__).
- Hunt for anomalous Python call chains originating from the agent dispatcher in EDR or runtime telemetry.
Monitoring Recommendations
- Forward agent application logs and Python process telemetry to a centralized analytics platform for correlation across sessions.
- Alert on any tool invocation where the resolved callable lives outside the declared tool module.
- Track upstream model outputs for tool-call names that deviate from the configured schema.
How to Mitigate CVE-2026-44339
Immediate Actions Required
- Upgrade to praisonai 4.6.37 and praisonaiagents 1.6.37 or later in all environments.
- Audit agent configurations and explicitly set _perm_allow to a strict allow-list of declared tool names.
- Review host applications for sensitive callables that share the agent process and isolate them where feasible.
Patch Information
The maintainers fixed the issue in praisonai 4.6.37 and praisonaiagents 1.6.37. Patch details and remediation guidance are published in the PraisonAI Security Advisory GHSA-gmjg-hv98-qggq.
Workarounds
- Configure _perm_allow with an explicit allow-list rather than leaving it None.
- Run PraisonAI agents in a dedicated process or container with no application callables imported into globals or __main__.
- Validate and constrain tool-call names against the declared tool schema before dispatch.
# Upgrade to patched versions
pip install --upgrade "praisonai>=4.6.37" "praisonaiagents>=1.6.37"
# Verify installed versions
pip show praisonai praisonaiagents | grep -E "Name|Version"
: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
