CVE-2026-44339: PraisonAI tool bypass enables

CISO Take

PraisonAI's agent framework fails to enforce declared tool boundaries by default — when a tool name is not found in the declared list or registry, execution silently falls through to Python globals() and __main__, invoking any in-scope application callable with attacker-controlled arguments. Because _perm_allow initializes to None (semantically 'allow all' rather than 'allow declared tools only'), the declared tool list provides zero security isolation; any attacker who can influence tool-call names — most plausibly through prompt injection into an LLM-backed agent — can reach privileged helper functions the operator never intended to expose. Although EPSS is low at 0.00066, this vulnerability sits in the top 80th percentile for exploitation likelihood, CVSS scores 8.6 with no privileges or user interaction required, and the package carries 50 prior CVEs signaling a pattern of insecure defaults worth treating urgently. Upgrade praisonaiagents to >= 1.6.37 or PraisonAI to >= 4.6.37; as an immediate workaround, explicitly initialize every Agent instance with a frozenset allowlist assigned to _perm_allow.

Sources: NVD GitHub Advisory EPSS ATLAS

What is the risk?

CVSS 8.6 HIGH with a network-accessible attack vector, no privileges required, and no user interaction makes this remotely exploitable in any deployment where an untrusted party can influence tool-call names reaching the agent executor. The actual blast radius depends on what callables are loaded into process scope at runtime — benign helpers pose low risk, but privileged functions such as file I/O handlers, subprocess wrappers, database connectors, or credential accessors elevate impact to critical. The broken-by-default permission model is particularly dangerous because operators receive no visible signal that their declared tool list is not being enforced; they may believe they have locked down the agent surface when they have not.

How does the attack unfold?

Injection Entry

Attacker embeds malicious instructions in content ingested by the PraisonAI agent (document, API response, web page) directing the LLM to invoke a specific function name.

AML.T0051.001

Tool Name Crafting

The LLM generates a tool-call for a name (e.g., 'write_file', 'run_command') present in the application's globals() or __main__ but never declared as an agent tool.

AML.T0053

Permission Gate Bypass

The tool executor fails to find the name in the declared list, falls through the registry, then globals() then __main__; with _perm_allow=None no allowlist check fires.

AML.T0049

Unauthorized Execution

The undeclared callable executes with the application's full process privileges and attacker-controlled arguments, enabling data exfiltration, state modification, or arbitrary command execution.

AML.T0050

Injection Entry

Attacker embeds malicious instructions in content ingested by the PraisonAI agent (document, API response, web page) directing the LLM to invoke a specific function name.

AML.T0051.001

Tool Name Crafting

The LLM generates a tool-call for a name (e.g., 'write_file', 'run_command') present in the application's globals() or __main__ but never declared as an agent tool.

AML.T0053

Permission Gate Bypass

The tool executor fails to find the name in the declared list, falls through the registry, then globals() then __main__; with _perm_allow=None no allowlist check fires.

AML.T0049

Unauthorized Execution

The undeclared callable executes with the application's full process privileges and attacker-controlled arguments, enabling data exfiltration, state modification, or arbitrary command execution.

AML.T0050

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	<= 4.6.36	`4.6.37`
1 dependents 83% patched ~0d to patch Full package profile →
PraisonAI Agents	pip	<= 1.6.36	`1.6.37`
11 dependents 69% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1

8.6 / 10

EPSS

0.4%

chance of exploitation in 30 days

Higher than 28% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C Low

I High

A Low

What should I do?

1 step

1) Patch: upgrade praisonaiagents to >= 1.6.37 and/or PraisonAI to >= 4.6.37 immediately. 2) Workaround (pre-patch): explicitly set self._perm_allow = frozenset({'declared_tool_1', 'declared_tool_2'}) on every Agent instance to restrict execution to named tools only. 3) Defense in depth: run agent processes under least-privilege OS accounts; avoid importing privileged modules (subprocess, os, shutil, smtplib) in the same Python process as agent execution. 4) Architecture isolation: enforce that only declared tool functions are importable within the agent process scope using import hooks or sandboxing. 5) Detection: audit agent execution logs for tool-call names that do not appear in the declared tools list; alert on function_name values that resolve to non-tool callables in globals() or __main__.

What does CISA's SSVC say?

Decision Track*

Exploitation poc

Automatable Yes

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Auth Bypass Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0051.000 - Direct AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0084.001 - Tool Definitions

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - AI risk assessment A.6.2.5 - AI system access control

NIST AI RMF

MANAGE 2.2 - AI risk treatments are monitored and documented

OWASP LLM Top 10

LLM01 - Prompt Injection LLM06 - Excessive Agency LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2026-44339?

PraisonAI's agent framework fails to enforce declared tool boundaries by default — when a tool name is not found in the declared list or registry, execution silently falls through to Python globals() and __main__, invoking any in-scope application callable with attacker-controlled arguments. Because _perm_allow initializes to None (semantically 'allow all' rather than 'allow declared tools only'), the declared tool list provides zero security isolation; any attacker who can influence tool-call names — most plausibly through prompt injection into an LLM-backed agent — can reach privileged helper functions the operator never intended to expose. Although EPSS is low at 0.00066, this vulnerability sits in the top 80th percentile for exploitation likelihood, CVSS scores 8.6 with no privileges or user interaction required, and the package carries 50 prior CVEs signaling a pattern of insecure defaults worth treating urgently. Upgrade praisonaiagents to >= 1.6.37 or PraisonAI to >= 4.6.37; as an immediate workaround, explicitly initialize every Agent instance with a frozenset allowlist assigned to _perm_allow.

Is CVE-2026-44339 actively exploited?

No confirmed active exploitation of CVE-2026-44339 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-44339?

1) Patch: upgrade praisonaiagents to >= 1.6.37 and/or PraisonAI to >= 4.6.37 immediately. 2) Workaround (pre-patch): explicitly set self._perm_allow = frozenset({'declared_tool_1', 'declared_tool_2'}) on every Agent instance to restrict execution to named tools only. 3) Defense in depth: run agent processes under least-privilege OS accounts; avoid importing privileged modules (subprocess, os, shutil, smtplib) in the same Python process as agent execution. 4) Architecture isolation: enforce that only declared tool functions are importable within the agent process scope using import hooks or sandboxing. 5) Detection: audit agent execution logs for tool-call names that do not appear in the declared tools list; alert on function_name values that resolve to non-tool callables in globals() or __main__.

What systems are affected by CVE-2026-44339?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM-backed agentic applications, multi-agent orchestration pipelines, agentic automation workflows.

What is the CVSS score for CVE-2026-44339?

CVE-2026-44339 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.36%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM-backed agentic applicationsmulti-agent orchestration pipelinesagentic automation workflows

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0051.000 Direct

AML.T0051.001 Indirect

AML.T0053 AI Agent Tool Invocation

AML.T0084.001 Tool Definitions

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2, A.6.2.5

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM01, LLM06, LLM07

What are the technical details?

Original Advisory

### Summary `praisonaiagents` resolves unresolved tool names against module globals and `__main__` after it fails to match the declared tool list and the registry. With the default agent configuration, `_perm_allow` is `None`, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. ### Details The vulnerable resolution path is in [`[tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734). After searching declared tools and the registry, execution falls back to `globals()` and then `__main__`: ```python func = None for tool in self.tools if isinstance(self.tools, (list, tuple)) else []: ... if func is None: try: from ..tools.registry import get_registry registry = get_registry() func = registry.get(function_name) except ImportError: pass if func is None: func = globals().get(function_name) if not func: import __main__ func = getattr(__main__, function_name, None) ``` If a callable is found, it is executed directly: ```python elif callable(func): casted_arguments = self._cast_arguments(func, arguments) return func(**casted_arguments) ``` The permission gate does not enforce a declared-tool allowlist by default. In [`[tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550), execution is only rejected if `_perm_allow` is non-`None`: ```python if self._perm_deny and function_name in self._perm_deny: return {"error": f"Tool '{function_name}' blocked by permission policy", "permission_denied": True} if self._perm_allow is not None and function_name not in self._perm_allow: return {"error": f"Tool '{function_name}' not in allowed tools list", "permission_denied": True} ``` Default agent initialization sets `_perm_allow = None`, which means "allow all" rather than "allow only declared tools" in [`[agent.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749): ```python self._perm_deny = frozenset() # Permission tier deny set (empty = no denials) self._perm_allow = None # Permission tier allow set (None = allow all) ``` The project's own tests confirm that default agents have no allowlist and that undeclared custom tool names pass approval: - [`[test_permissions.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:56)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/[test_permissions.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:142):56) asserts that a default `Agent` has `_perm_allow is None`. - [`test_permissions.py`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:142) explicitly checks that `agent._check_tool_approval_sync("my_custom_tool", {})` passes for an undeclared tool name. **Empirical verification:** I verified the bypass locally on commit `d8a8a786915dc67a7c3021e24f72458f2eac5d9c` (`v4.6.35`) by defining a callable only in `__main__`, giving the agent an empty `tools` list, and invoking `execute_tool()` with that undeclared name. The tool executor ran the `__main__` function anyway. ### PoC **Environment** - Repo: `MervinPraison/PraisonAI` - Commit: `d8a8a786915dc67a7c3021e24f72458f2eac5d9c` - Verified against PyPI package versions available on May 3, 2026: - `praisonaiagents` `1.6.35` - `PraisonAI` `4.6.35` - Python 3 **Steps** 1. From the repository root, run: ```bash python3 - <<'PY' import sys from unittest.mock import MagicMock, patch sys.path.insert(0, '/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents') from praisonaiagents.agent.tool_execution import ToolExecutionMixin def sneaky(msg='ok'): return {'ran': msg} class HookRunner: def execute_sync(self, *args, **kwargs): return [] def is_blocked(self, results): return False class Dummy(ToolExecutionMixin): def __init__(self): self.name = 'demo' self.tools = [] self.chat_history = [] self._hook_runner = HookRunner() self.context_manager = None self._doom_loop_tracker = None self._perm_deny = frozenset() self._perm_allow = None self._approval_backend = None mock_registry = MagicMock() mock_registry.approve_sync.return_value = MagicMock(approved=True, reason='mock', modified_args=None) mock_registry.mark_approved = MagicMock() with patch('praisonaiagents.approval.get_approval_registry', return_value=mock_registry): agent = Dummy() print(agent.execute_tool('sneaky', {'msg': 'hello'})) print(mock_registry.approve_sync.call_args) PY ``` **Expected output** ```text {'ran': 'hello'} call('demo', 'sneaky', {'msg': 'hello'}) ``` The important point is that `sneaky` was never declared in `self.tools` and was only present in `__main__`. ### Impact - **Any deployment that lets an untrusted party influence tool-call names**: undeclared application callables can run even though they were never registered as tools. - **Operators who rely on the declared tool list as a security boundary**: that boundary is broken because unresolved names fall through to `globals()` and `__main__`. - **Applications that keep privileged helper functions in process scope**: the attacker can reuse those helpers with the application's own privileges, which can lead to unauthorized state changes and, depending on what is loaded, data exposure or command execution.

Exploitation Scenario

An attacker crafts a prompt injection payload embedded in content processed by the PraisonAI agent — for example, a document upload, a scraped web page, an incoming email, or an API response ingested by the agent. The injected instructions direct the LLM to call a tool named 'write_config', 'send_email', or 'run_command' — functions present in the application's __main__ module or imported globals that were never registered as agent tools. The tool executor fails to find the name in the declared list, falls through to globals() then __main__, locates the callable, and executes it with the attacker-supplied arguments. No credentials or elevated permissions are required — only the ability to influence the LLM's tool selection output is needed to reach arbitrary application callables.

Weaknesses (CWE)

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Primary

CWE-470 — Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection'): The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

[Architecture and Design] Refactor your code to avoid using reflection.
[Architecture and Design] Do not use user-controlled inputs to select and load classes or code.

Source: MITRE CWE corpus.