PraisonAI Vulnerability Enables Unauthenticated RCE

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: High

[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-44334 with a CVSS score of 8.4 is a HIGH severity vulnerability affecting PraisonAI, specifically versions 4.5.139 through 4.6.31. The vulnerability arises from an unauthenticated Remote Code Execution (RCE) vulnerability via `tool_override .py` due to a missed patch in CVE-2026-40287, allowing an attacker to inject malicious code. An attacker can exploit this vulnerability by sending a malicious HTTP POST request to `/v1 /recipes /run` with a `recipe` value pointing at any local absolute path or any GitHub repository, requiring no authentication or environment opt-in. This allows the attacker to gain the capability to execute arbitrary code on the server, resulting in significant business impact and consequences if exploited, including potential data breaches, system compromise, and reputational damage. Prerequisites for exploitation include the ability to send a malicious HTTP request to the affected server.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

RECOMMENDATION:

We recommend you to update praisonai to version 4.6.32.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-xcmw-grxf-wjhj

[/emaillocker]

Recent Advisories

Netty Codec Vulnerabilities Set Protocol Desynchronization and Crashes

May 7, 2026

Critical Remote Code Execution Vulnerability in Valtimo Framework Components

May 7, 2026

GitPython Reference APIs Path Traversal Vulnerability Enables Arbitrary File Deletion

May 7, 2026

PraisonAI Agents Vulnerability Exposes SSRF Attacks

May 7, 2026

PraisonAI Vulnerability Enables Unauthenticated RCE

Recent Advisories

Report an Incident