CVE-2026-34939: CWE-1333: Inefficient Regular Expression Complexity in MervinPraison PraisonAI
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage. This issue has been patched in version 4.5.90.
AI Analysis
Technical Summary
The vulnerability arises from the MCPToolIndex.search_tools() method in PraisonAI versions before 4.5.90, which compiles caller-supplied strings as Python regular expressions without any validation, sanitization, or timeout mechanism. This allows an attacker to supply a crafted regex pattern that triggers catastrophic backtracking in the Python regex engine, blocking the executing thread for an extended period and causing a denial of service. The issue is identified as CWE-1333 (Inefficient Regular Expression Complexity). The vendor has released version 4.5.90 which patches this vulnerability by presumably adding validation or timeout controls. There is no vendor advisory explicitly stating remediation level, but the patch availability is confirmed by the version update note.
Potential Impact
Exploitation of this vulnerability results in a denial of service condition by causing the Python thread to block for hundreds of seconds due to catastrophic backtracking in regex processing. This leads to a complete service outage of PraisonAI instances running affected versions. There is no impact on confidentiality or integrity reported. No known exploits in the wild have been documented.
Mitigation Recommendations
This vulnerability is patched in PraisonAI version 4.5.90. Users should upgrade to version 4.5.90 or later to remediate the issue. Since PraisonAI is not a cloud service, remediation requires applying the vendor's patch. Patch status is confirmed by the version update note; no additional vendor advisory is available. Until upgraded, avoid processing untrusted input as regular expressions in MCPToolIndex.search_tools().
CVE-2026-34939: CWE-1333: Inefficient Regular Expression Complexity in MervinPraison PraisonAI
Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage. This issue has been patched in version 4.5.90.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability arises from the MCPToolIndex.search_tools() method in PraisonAI versions before 4.5.90, which compiles caller-supplied strings as Python regular expressions without any validation, sanitization, or timeout mechanism. This allows an attacker to supply a crafted regex pattern that triggers catastrophic backtracking in the Python regex engine, blocking the executing thread for an extended period and causing a denial of service. The issue is identified as CWE-1333 (Inefficient Regular Expression Complexity). The vendor has released version 4.5.90 which patches this vulnerability by presumably adding validation or timeout controls. There is no vendor advisory explicitly stating remediation level, but the patch availability is confirmed by the version update note.
Potential Impact
Exploitation of this vulnerability results in a denial of service condition by causing the Python thread to block for hundreds of seconds due to catastrophic backtracking in regex processing. This leads to a complete service outage of PraisonAI instances running affected versions. There is no impact on confidentiality or integrity reported. No known exploits in the wild have been documented.
Mitigation Recommendations
This vulnerability is patched in PraisonAI version 4.5.90. Users should upgrade to version 4.5.90 or later to remediate the issue. Since PraisonAI is not a cloud service, remediation requires applying the vendor's patch. Patch status is confirmed by the version update note; no additional vendor advisory is available. Until upgraded, avoid processing untrusted input as regular expressions in MCPToolIndex.search_tools().
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-31T17:27:08.660Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d04a110a160ebd9264ca69
Added to database: 4/3/2026, 11:15:29 PM
Last enriched: 4/11/2026, 9:21:09 AM
Last updated: 5/20/2026, 8:52:28 PM
Views: 103
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.