{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonaiagents--1.6.78/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.8,"id":"CVE-2026-61437"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonaiagents (\u003c 1.6.78)"],"_cs_severities":["high"],"_cs_tags":["supply-chain","rce","vulnerability"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eCVE-2026-61437 describes an unsafe dynamic module loading vulnerability in the PraisonAI \u003ccode\u003epraisonaiagents\u003c/code\u003e pip package affecting versions prior to 1.6.78. Specifically, the \u003ccode\u003eAgentFlow._resolve_pydantic_class\u003c/code\u003e function within \u003ccode\u003esrc/praisonai-agents/praisonaiagents/workflows/workflows.py\u003c/code\u003e improperly handles workflow steps that use a string \u003ccode\u003eoutput_pydantic\u003c/code\u003e reference. When such a workflow is processed, the framework unrestrictedly imports a sibling \u003ccode\u003etools.py\u003c/code\u003e module from the workflow's directory using \u003ccode\u003eimportlib.exec_module\u003c/code\u003e. This process bypasses intended sandboxing measures and overrides environment variables designed to restrict tool usage (e.g., \u003ccode\u003ePRAISONAI_ALLOW_*_TOOLS\u003c/code\u003e). An attacker who successfully compromises or crafts a workflow file and an accompanying malicious \u003ccode\u003etools.py\u003c/code\u003e file can execute arbitrary Python code with the privileges of the PraisonAI workflow runner when the workflow is initiated via \u003ccode\u003eWorkflowManager\u003c/code\u003e or loaded with \u003ccode\u003eload_yaml\u003c/code\u003e, leading to remote code execution and potential data compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious PraisonAI workflow file designed to exploit the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a malicious \u003ccode\u003etools.py\u003c/code\u003e file containing arbitrary Python code (e.g., commands for system access, data exfiltration, or reverse shells) and places it in the same directory as the malicious workflow file.\u003c/li\u003e\n\u003cli\u003eThe malicious workflow file includes a workflow step that contains a string \u003ccode\u003eoutput_pydantic\u003c/code\u003e reference, which triggers the vulnerable dynamic module loading mechanism.\u003c/li\u003e\n\u003cli\u003eA legitimate user or an automated process on the victim's system loads or executes the attacker-controlled workflow file using PraisonAI's \u003ccode\u003eWorkflowManager\u003c/code\u003e or \u003ccode\u003eload_yaml\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eDuring the execution of the workflow, PraisonAI's \u003ccode\u003eAgentFlow._resolve_pydantic_class\u003c/code\u003e attempts to resolve the \u003ccode\u003eoutput_pydantic\u003c/code\u003e reference specified in the malicious workflow step.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the framework proceeds to dynamically import the attacker-controlled \u003ccode\u003etools.py\u003c/code\u003e file using \u003ccode\u003eimportlib.exec_module\u003c/code\u003e, without enforcing security sandboxes or respecting \u003ccode\u003ePRAISONAI_ALLOW_*_TOOLS\u003c/code\u003e environment variables.\u003c/li\u003e\n\u003cli\u003eThe arbitrary Python code embedded within the malicious \u003ccode\u003etools.py\u003c/code\u003e file is executed on the system with the same privileges as the PraisonAI workflow runner.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution, enabling them to compromise the underlying system, access sensitive data, or establish further persistence.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61437 can lead to full compromise of the system running the PraisonAI workflow. An attacker can execute arbitrary Python code, granting them the ability to install malicious software, exfiltrate sensitive data, modify system configurations, or establish persistent access. The impact extends to any data or resources accessible by the PraisonAI application, potentially affecting intellectual property, customer data, and system integrity. The CVSS v3.1 Base Score of 7.8 indicates a high severity threat, with direct implications for confidentiality, integrity, and availability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003epraisonaiagents\u003c/code\u003e pip package to version 1.6.78 or newer immediately to mitigate CVE-2026-61437.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls over PraisonAI workflow directories and files to prevent unauthorized modification or introduction of malicious workflows and \u003ccode\u003etools.py\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eMonitor systems for unusual outbound network connections or process creations from the PraisonAI application, as these could indicate successful exploitation of CVE-2026-61437.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T15:27:32Z","date_published":"2026-07-10T15:27:32Z","id":"https://feed.craftedsignal.io/briefs/2026-07-praisonai-dynamic-module-loading-rce/","summary":"A critical vulnerability, CVE-2026-61437, in PraisonAI's `praisonaiagents` pip package before version 1.6.78 allows an attacker to achieve remote code execution by exploiting an unsafe dynamic module loading mechanism when a malicious workflow file and an adjacent `tools.py` are executed, bypassing sandboxing and leading to arbitrary Python code execution with workflow runner privileges.","title":"PraisonAI praisonaiagents Unsafe Dynamic Module Loading Vulnerability (CVE-2026-61437)","url":"https://feed.craftedsignal.io/briefs/2026-07-praisonai-dynamic-module-loading-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonaiagents (\u003c 1.6.78)","version":"https://jsonfeed.org/version/1.1"}