<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Praisonaiagents (&lt; 1.6.78) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/praisonaiagents--1.6.78/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 15:27:32 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/praisonaiagents--1.6.78/feed.xml" rel="self" type="application/rss+xml"/><item><title>PraisonAI praisonaiagents Unsafe Dynamic Module Loading Vulnerability (CVE-2026-61437)</title><link>https://feed.craftedsignal.io/briefs/2026-07-praisonai-dynamic-module-loading-rce/</link><pubDate>Fri, 10 Jul 2026 15:27:32 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-praisonai-dynamic-module-loading-rce/</guid><description>A critical vulnerability, CVE-2026-61437, in PraisonAI's `praisonaiagents` pip package before version 1.6.78 allows an attacker to achieve remote code execution by exploiting an unsafe dynamic module loading mechanism when a malicious workflow file and an adjacent `tools.py` are executed, bypassing sandboxing and leading to arbitrary Python code execution with workflow runner privileges.</description><content:encoded><![CDATA[<p>CVE-2026-61437 describes an unsafe dynamic module loading vulnerability in the PraisonAI <code>praisonaiagents</code> pip package affecting versions prior to 1.6.78. Specifically, the <code>AgentFlow._resolve_pydantic_class</code> function within <code>src/praisonai-agents/praisonaiagents/workflows/workflows.py</code> improperly handles workflow steps that use a string <code>output_pydantic</code> reference. When such a workflow is processed, the framework unrestrictedly imports a sibling <code>tools.py</code> module from the workflow's directory using <code>importlib.exec_module</code>. This process bypasses intended sandboxing measures and overrides environment variables designed to restrict tool usage (e.g., <code>PRAISONAI_ALLOW_*_TOOLS</code>). An attacker who successfully compromises or crafts a workflow file and an accompanying malicious <code>tools.py</code> file can execute arbitrary Python code with the privileges of the PraisonAI workflow runner when the workflow is initiated via <code>WorkflowManager</code> or loaded with <code>load_yaml</code>, leading to remote code execution and potential data compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious PraisonAI workflow file designed to exploit the vulnerability.</li>
<li>The attacker creates a malicious <code>tools.py</code> file containing arbitrary Python code (e.g., commands for system access, data exfiltration, or reverse shells) and places it in the same directory as the malicious workflow file.</li>
<li>The malicious workflow file includes a workflow step that contains a string <code>output_pydantic</code> reference, which triggers the vulnerable dynamic module loading mechanism.</li>
<li>A legitimate user or an automated process on the victim's system loads or executes the attacker-controlled workflow file using PraisonAI's <code>WorkflowManager</code> or <code>load_yaml</code> function.</li>
<li>During the execution of the workflow, PraisonAI's <code>AgentFlow._resolve_pydantic_class</code> attempts to resolve the <code>output_pydantic</code> reference specified in the malicious workflow step.</li>
<li>Due to the vulnerability, the framework proceeds to dynamically import the attacker-controlled <code>tools.py</code> file using <code>importlib.exec_module</code>, without enforcing security sandboxes or respecting <code>PRAISONAI_ALLOW_*_TOOLS</code> environment variables.</li>
<li>The arbitrary Python code embedded within the malicious <code>tools.py</code> file is executed on the system with the same privileges as the PraisonAI workflow runner.</li>
<li>The attacker achieves remote code execution, enabling them to compromise the underlying system, access sensitive data, or establish further persistence.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61437 can lead to full compromise of the system running the PraisonAI workflow. An attacker can execute arbitrary Python code, granting them the ability to install malicious software, exfiltrate sensitive data, modify system configurations, or establish persistent access. The impact extends to any data or resources accessible by the PraisonAI application, potentially affecting intellectual property, customer data, and system integrity. The CVSS v3.1 Base Score of 7.8 indicates a high severity threat, with direct implications for confidentiality, integrity, and availability.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade the <code>praisonaiagents</code> pip package to version 1.6.78 or newer immediately to mitigate CVE-2026-61437.</li>
<li>Implement strict access controls over PraisonAI workflow directories and files to prevent unauthorized modification or introduction of malicious workflows and <code>tools.py</code> files.</li>
<li>Monitor systems for unusual outbound network connections or process creations from the PraisonAI application, as these could indicate successful exploitation of CVE-2026-61437.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>supply-chain</category><category>rce</category><category>vulnerability</category></item></channel></rss>