PraisonAI Vulnerability Allows Undeclared Tool Invocation (CVE-2026-44339)

A critical vulnerability, CVE-2026-44339, has been identified in PraisonAI’s multi-agent teams system, specifically affecting versions prior to 4.6.37 of praisonai and 1.6.37 of praisonaiagents. According to the National Vulnerability Database, the praisonaiagents component incorrectly attempts to resolve undeclared tool names against module globals and __main__ when its standard tool matching fails. This design flaw, coupled with a default agent configuration where _perm_allow is None, means that non-dangerous, undeclared tool names are not blocked by the system’s permission gate.

This oversight creates a significant attack vector. An attacker capable of influencing tool-call names can exploit this to invoke application callables that were never explicitly declared as tools. The National Vulnerability Database rates this with a CVSS score of 8.6 (HIGH), highlighting the severity of the issue, which could lead to unintended execution of code. The vulnerability is categorized under CWE-470, indicating an improper release of system resources or privileges.

Patches addressing this issue have been released in praisonai version 4.6.37 and praisonaiagents version 1.6.37. Organizations leveraging PraisonAI’s multi-agent systems must prioritize these updates immediately to mitigate the risk of unauthorized command execution. The attacker’s calculus here is straightforward: find a way to inject or manipulate tool-call names, and you gain an unauthorized execution primitive.