PraisonAI praisonaiagents Unsafe Dynamic Module Loading Vulnerability (CVE-2026-61437)
A critical vulnerability, CVE-2026-61437, in PraisonAI's `praisonaiagents` pip package before version 1.6.78 allows an attacker to achieve remote code execution by exploiting an unsafe dynamic module loading mechanism when a malicious workflow file and an adjacent `tools.py` are executed, bypassing sandboxing and leading to arbitrary Python code execution with workflow runner privileges.
CVE-2026-61437 describes an unsafe dynamic module loading vulnerability in the PraisonAI praisonaiagents pip package affecting versions prior to 1.6.78. Specifically, the AgentFlow._resolve_pydantic_class function within src/praisonai-agents/praisonaiagents/workflows/workflows.py improperly handles workflow steps that use a string output_pydantic reference. When such a workflow is processed, the framework unrestrictedly imports a sibling tools.py module from the workflow's directory using importlib.exec_module. This process bypasses intended sandboxing measures and overrides environment variables designed to restrict tool usage (e.g., PRAISONAI_ALLOW_*_TOOLS). An attacker who successfully compromises or crafts a workflow file and an accompanying malicious tools.py file can execute arbitrary Python code with the privileges of the PraisonAI workflow runner when the workflow is initiated via WorkflowManager or loaded with load_yaml, leading to remote code execution and potential data compromise.
Attack Chain
- An attacker crafts a malicious PraisonAI workflow file designed to exploit the vulnerability.
- The attacker creates a malicious
tools.pyfile containing arbitrary Python code (e.g., commands for system access, data exfiltration, or reverse shells) and places it in the same directory as the malicious workflow file. - The malicious workflow file includes a workflow step that contains a string
output_pydanticreference, which triggers the vulnerable dynamic module loading mechanism. - A legitimate user or an automated process on the victim's system loads or executes the attacker-controlled workflow file using PraisonAI's
WorkflowManagerorload_yamlfunction. - During the execution of the workflow, PraisonAI's
AgentFlow._resolve_pydantic_classattempts to resolve theoutput_pydanticreference specified in the malicious workflow step. - Due to the vulnerability, the framework proceeds to dynamically import the attacker-controlled
tools.pyfile usingimportlib.exec_module, without enforcing security sandboxes or respectingPRAISONAI_ALLOW_*_TOOLSenvironment variables. - The arbitrary Python code embedded within the malicious
tools.pyfile is executed on the system with the same privileges as the PraisonAI workflow runner. - The attacker achieves remote code execution, enabling them to compromise the underlying system, access sensitive data, or establish further persistence.
Impact
Successful exploitation of CVE-2026-61437 can lead to full compromise of the system running the PraisonAI workflow. An attacker can execute arbitrary Python code, granting them the ability to install malicious software, exfiltrate sensitive data, modify system configurations, or establish persistent access. The impact extends to any data or resources accessible by the PraisonAI application, potentially affecting intellectual property, customer data, and system integrity. The CVSS v3.1 Base Score of 7.8 indicates a high severity threat, with direct implications for confidentiality, integrity, and availability.
Recommendation
- Upgrade the
praisonaiagentspip package to version 1.6.78 or newer immediately to mitigate CVE-2026-61437. - Implement strict access controls over PraisonAI workflow directories and files to prevent unauthorized modification or introduction of malicious workflows and
tools.pyfiles. - Monitor systems for unusual outbound network connections or process creations from the PraisonAI application, as these could indicate successful exploitation of CVE-2026-61437.