CVE-2026-44334: PraisonAI Multi-Agent System Vulnerable to Remote Code Execution

/HIGH /CVSS 8.4/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycwe-94
CVE-2026-44334: PraisonAI Multi-Agent System Vulnerable to Remote Code Execution

The National Vulnerability Database details CVE-2026-44334, a high-severity vulnerability (CVSS 8.4) affecting PraisonAI, a multi-agent teams system. Versions 4.5.139 through 4.6.31 are susceptible to remote code execution due to an incomplete fix for a prior vulnerability (CVE-2026-40287). While previous patches gated tools.py auto-import functionality, a critical third import sink in praisonai/templates/tool_override.py was overlooked and remains unguarded.

This oversight allows an attacker to remotely trigger code execution. By sending a POST request to /v1/recipes/run with a crafted recipe value pointing to a local absolute path or any GitHub repository, an attacker can drop and execute a malicious tools.py file. Crucially, this attack requires no authentication by default and no specific environment opt-in from the victim, making it highly accessible. The issue stems from SecurityConfig.allow_any_github defaulting to True and the server’s exec_module() call on the dropped file. PraisonAI version 4.6.32 contains the patch for this vulnerability.

This isn’t just a theoretical flaw; it’s a direct path to server compromise. The attacker’s calculus is simple: find an exposed PraisonAI instance, send a crafted request, and gain execution. For defenders, this means immediate attention is required. This type of vulnerability, classified as CWE-94 (Improper Control of Generation of Code (‘Code Injection’)), is a CISO’s nightmare because it bypasses typical application security layers by design, leveraging the application’s own functionality against itself.

What This Means For You

  • If your organization uses PraisonAI, you are exposed to unauthenticated remote code execution via CVE-2026-44334. Immediately verify your PraisonAI version. If it's between 4.5.139 and 4.6.31, you must upgrade to version 4.6.32 or later without delay. Review your network segmentation to ensure PraisonAI instances are not directly exposed to the internet.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.001 PowerShell Execution

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-44334: PraisonAI Unsanctioned Tool Import via POST /v1/recipes/run

Sigma YAML — free preview 
title: CVE-2026-44334: PraisonAI Unsanctioned Tool Import via POST /v1/recipes/run
id: scw-2026-05-08-ai-1
status: experimental
level: critical
description: |
  Detects the specific exploit path for CVE-2026-44334 where an attacker sends a POST request to /v1/recipes/run with a crafted recipe body that attempts to import an unsanctioned 'tools.py' file, leading to remote code execution. This rule specifically looks for the POST method to the /v1/recipes/run endpoint and the presence of 'tools.py' within the request body, indicating the exploit attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-08
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44334/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-method: 
          - 'POST'
      cs-uri: 
          - '/v1/recipes/run'
      selection_base: 
          field: 'request_body|contains':
              - 'tools.py'
      condition: selection AND selection_base
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44334 RCE PraisonAI versions 4.5.139 to before 4.6.32
CVE-2026-44334 RCE Vulnerable component: praisonai/templates/tool_override.py
CVE-2026-44334 RCE Remotely triggerable via POST /v1/recipes/run endpoint
CVE-2026-44334 RCE Attack vector: Supplying a recipe value pointing to a local absolute path or GitHub repo, leading to exec_module() of attacker-controlled tools.py

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 08, 2026 at 17:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate

CVE-2026-6667 — PgBouncer before 1.25.2 did not perform an appropriate authorization check for the KILL_CLIENT admin command. All users with access to the administration console...

vulnerabilityCVEmedium-severitycwe-862
/SCW Vulnerability Desk /MEDIUM /4.3 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-6666 — A possible null pointer reference in PgBouncer before

CVE-2026-6666 — A possible null pointer reference in PgBouncer before 1.25.2 could lead to a crash, if a server sends an error response without SQLSTATE...

vulnerabilityCVEmedium-severitycwe-476
/SCW Vulnerability Desk /MEDIUM /5.9 /⚑ 2 IOCs /⚙ 1 Sigma

PgBouncer SCRAM Vulnerability (CVE-2026-6665) Allows Stack Overflow

CVE-2026-6665 — The SCRAM code in PgBouncer before 1.25.2 did not check the return value of strlcat() correctly when building the contents of the SCRAM...

vulnerabilityCVEhigh-severitycwe-121
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 2 Sigma