CVE-2026-44334: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32.
AI Analysis
Technical Summary
PraisonAI versions from 4.5.139 to before 4.6.32 contain a code injection vulnerability (CWE-94) due to an unguarded import sink in praisonai/templates/tool_override.py. While previous fixes gated auto-imports in two files behind an environment variable, this third location remained exposed. The vulnerability is triggered remotely via POST /v1/recipes/run by specifying a recipe that points to a local absolute path or any GitHub repository, leveraging the default SecurityConfig.allow_any_github=true setting. An attacker can drop a malicious tools.py file adjacent to TEMPLATE.yaml, which the server then executes via exec_module(), enabling arbitrary code execution without authentication. The vulnerability is patched in version 4.6.32.
Potential Impact
Successful exploitation allows unauthenticated remote attackers with network-level access to execute arbitrary code on the PraisonAI server, compromising confidentiality, integrity, and availability. The vulnerability affects all installations running affected versions with default configurations, potentially leading to full system compromise. There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in PraisonAI version 4.6.32. Users should upgrade to version 4.6.32 or later to remediate this issue. Until upgrading, restricting network access to the /v1/recipes/run endpoint and disabling or carefully configuring SecurityConfig.allow_any_github may reduce exposure. Patch status is not explicitly stated beyond the version fix; therefore, verify with the vendor advisory for the latest remediation guidance.
CVE-2026-44334: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
Description
PraisonAI is a multi-agent teams system. From version 4.5.139 to before version 4.6.32, CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through POST /v1/recipes/run with a recipe value pointing at any local absolute path or any GitHub repo (because SecurityConfig.allow_any_github defaults to True). The attacker drops a tools.py next to TEMPLATE.yaml; the server exec_module()s it. No auth required by default, no environment opt-in required. This issue has been patched in version 4.6.32.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAI versions from 4.5.139 to before 4.6.32 contain a code injection vulnerability (CWE-94) due to an unguarded import sink in praisonai/templates/tool_override.py. While previous fixes gated auto-imports in two files behind an environment variable, this third location remained exposed. The vulnerability is triggered remotely via POST /v1/recipes/run by specifying a recipe that points to a local absolute path or any GitHub repository, leveraging the default SecurityConfig.allow_any_github=true setting. An attacker can drop a malicious tools.py file adjacent to TEMPLATE.yaml, which the server then executes via exec_module(), enabling arbitrary code execution without authentication. The vulnerability is patched in version 4.6.32.
Potential Impact
Successful exploitation allows unauthenticated remote attackers with network-level access to execute arbitrary code on the PraisonAI server, compromising confidentiality, integrity, and availability. The vulnerability affects all installations running affected versions with default configurations, potentially leading to full system compromise. There are no known exploits in the wild at this time.
Mitigation Recommendations
This vulnerability is fixed in PraisonAI version 4.6.32. Users should upgrade to version 4.6.32 or later to remediate this issue. Until upgrading, restricting network access to the /v1/recipes/run endpoint and disabling or carefully configuring SecurityConfig.allow_any_github may reduce exposure. Patch status is not explicitly stated beyond the version fix; therefore, verify with the vendor advisory for the latest remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T19:52:59.147Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fdede4cbff5d8610dd27bd
Added to database: 5/8/2026, 2:06:28 PM
Last enriched: 5/8/2026, 2:21:52 PM
Last updated: 5/9/2026, 3:47:39 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.