Zero Day MonitorZDM

← Back to list

8.6

CVE-2026-44339EXPLOITEDPATCHED

praison · praisonai

PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `main` callables execute

Description

PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.

Affected Products

Vendor	Product	Versions
praison	praisonai	pip/praisonaiagents: <= 1.6.36, pip/PraisonAI: <= 4.6.36

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
pip	praisonai	GHSA	85%
praison	praisonaiagents	cve_cpe	95%

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB5d ago

CVE-2026-44339 | MervinPraison PraisonAI externally-controlled input to select classes or code (GHSA-gmjg-hv98-qggq)

→ No new info (linked only)

CVSS 3.18.6 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

praisonaiagents@1.6.37PraisonAI@4.6.37

CWECWE-470

PublishedMay 8, 2026

Last enriched5d agov2

Trending Score27

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

HIGHCVE-2026-44338EXPKEV

PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

HIGHCVE-2026-41496EXP

PraisonAI: SQL Injection via unvalidated `table_prefix` in 9 conversation store backends (incomplete fix for CVE-2026-40315)

HIGHCVE-2026-44335

SSRF bypass in PraisonAI

HIGHCVE-2026-44340EXP

PraisonAI: Symlink-extraction bypass of `_safe_extractall` writes outside `dest_dir`

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

May 8, 2026

Discovered by ZDM

May 8, 2026

Updated: severity, activelyExploited

May 8, 2026

Actively Exploited

May 8, 2026

Patch Available

May 8, 2026

Version History

v2

Last enriched 5d ago

v2Tier C5d ago

Updated severity to CRITICAL and noted that there is no exploit available.

severityactivelyExploited

via VulDB

v16d ago

Initial creation