{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3apraisonpraisonaiagentspython/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*","cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*"],"_cs_cves":[{"cvss":8.6,"id":"CVE-2026-44339"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003c= 4.6.36)","praisonaiagents (\u003c= 1.6.36)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","code-execution","ai-agent"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s \u003ccode\u003epraisonaiagents\u003c/code\u003e library exhibits an unsafe tool resolution vulnerability. Specifically, when resolving tool names, the system searches module globals and the \u003ccode\u003e__main__\u003c/code\u003e scope \u003cem\u003eafter\u003c/em\u003e failing to find a match in the declared tool list or the tool registry. Crucially, the default agent configuration sets \u003ccode\u003e_perm_allow\u003c/code\u003e to \u003ccode\u003eNone\u003c/code\u003e, meaning that the permission gate does not enforce a strict allowlist of declared tools. This allows an attacker who can control or influence the tool-call names to invoke unintended application callables, bypassing the intended security boundary of declared tools. The vulnerability was verified on commit \u003ccode\u003ed8a8a786915dc67a7c3021e24f72458f2eac5d9c\u003c/code\u003e (v4.6.35).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies an application callable that is accessible via \u003ccode\u003e__main__\u003c/code\u003e or globals.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input to the PraisonAI agent that specifies the name of the target callable as the \u0026ldquo;tool\u0026rdquo; to execute.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eToolExecutionMixin.execute_tool\u003c/code\u003e function is called with the attacker-controlled tool name.\u003c/li\u003e\n\u003cli\u003eThe agent first searches for the tool in its declared \u003ccode\u003eself.tools\u003c/code\u003e list. This search fails because the tool is undeclared.\u003c/li\u003e\n\u003cli\u003eThe agent then attempts to retrieve the tool from the tool registry. This also fails.\u003c/li\u003e\n\u003cli\u003eThe agent falls back to searching for the tool name in \u003ccode\u003eglobals()\u003c/code\u003e and \u003ccode\u003e__main__\u003c/code\u003e. The attacker-specified callable is found in \u003ccode\u003e__main__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe agent executes the callable directly, passing arguments as needed.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves arbitrary code execution within the context of the PraisonAI application, potentially leading to unauthorized state changes, data exposure, or command execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have significant consequences. In deployments where untrusted parties can influence tool-call names, attackers can execute undeclared application callables, bypassing intended security boundaries. Operators who rely on the declared tool list as a security control are vulnerable, as this control can be circumvented. If the application keeps privileged helper functions in process scope, the attacker can reuse those helpers with the application\u0026rsquo;s own privileges, potentially leading to unauthorized state changes, data exposure, or command execution. Affected packages include \u003ccode\u003epip/praisonaiagents\u003c/code\u003e (vulnerable: \u0026lt;= 1.6.36) and \u003ccode\u003epip/PraisonAI\u003c/code\u003e (vulnerable: \u0026lt;= 4.6.36).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of \u003ccode\u003epraisonaiagents\u003c/code\u003e and \u003ccode\u003ePraisonAI\u003c/code\u003e that addresses the unsafe tool resolution (CVE-2026-44339).\u003c/li\u003e\n\u003cli\u003eConfigure the PraisonAI agent to use an explicit allowlist (\u003ccode\u003e_perm_allow\u003c/code\u003e) of permitted tools to prevent the execution of undeclared callables. Refer to the PraisonAI documentation for instructions on setting up the \u003ccode\u003e_perm_allow\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on tool-call names to prevent attackers from injecting arbitrary callable names.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect attempts to execute undeclared functions through \u003ccode\u003eToolExecutionMixin\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T14:01:58Z","date_published":"2026-05-11T14:01:58Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-tool-execution/","summary":"PraisonAI resolves tool names against module globals and `__main__` after failing to match declared tools, allowing an attacker who can influence tool-call names to invoke unintended application callables, leading to potential unauthorized state changes and command execution.","title":"PraisonAI Unsafe Tool Resolution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-tool-execution/"}],"language":"en","title":"CraftedSignal Threat Feed — Cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*","version":"https://jsonfeed.org/version/1.1"}