CVE-2026-44339 - PraisonAI unsafe tool resolution
PraisonAI’s tool executor could resolve an unresolved tool name against module
globals and __main__ after failing to find it in declared tools or the
registry. Because the default permission allow-list was unset, an attacker who
could influence tool-call names could execute application callables that were
never declared as tools.
For agentic systems, this breaks a core review assumption: “not in the tool list” did not mean “not callable.” The prompt below forces the remediation to treat declared tools as the security boundary.
When to use it
Use this recipe when a repository, PraisonAI deployment, or agent runtime maps
model-requested tool names to Python callables. It is built for source-code
remediation, tool-boundary hardening, unsafe resolution review, and audit
evidence that undeclared globals and __main__ callables are not executable
through tool calls.
Inputs
- PraisonAI version, tool registry, default permission allow-list, executor code, agent config, and deployment boundary.
- Source paths that resolve tool names, fall back to globals or
__main__, apply permissions, invoke callables, or serialize tool errors. - Regression fixtures for declared tools, undeclared globals,
__main__functions, deny-listed names, permission-less defaults, and expected rejects. - Runtime boundary evidence: callable modules, secrets in process memory, filesystem reach, network access, and who can influence tool-call names.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
PraisonAI |
<=4.6.36 |
4.6.37 |
praisonaiagents |
<=1.6.36 |
1.6.37 |
Indicator-of-exposure
- The repo installs
PraisonAI <4.6.37orpraisonaiagents <1.6.37. - Users, tenants, retrieved content, workflow files, or model output can influence tool-call names.
- Application processes keep privileged helper functions in module globals or
__main__. - Agents rely on
tools=[], declared tool lists, or approval prompts as the only tool boundary.
Quick checks:
rg -n "PraisonAI|praisonaiagents|execute_tool|ToolExecutionMixin|_perm_allow|__main__|globals\\(\\)|tools\\s*=\\s*\\[" .
python -m pip show PraisonAI praisonaiagents
pip freeze | rg -i "praisonai"
Remediation strategy
- Upgrade
PraisonAIto4.6.37+andpraisonaiagentsto1.6.37+. - Treat undeclared tool names as denied by default.
- Remove fallback resolution through
globals()and__main__for model-influenced tool calls. - Require a per-agent allow-list derived from declared tools and registry entries.
- Add tests that attempt to call undeclared helpers and assert they are denied before any callable lookup happens.
The prompt
You are remediating CVE-2026-44339 in PraisonAI tool execution. Produce exactly
one output:
- A reviewer-ready PR/change request that upgrades affected packages, enforces
declared-tool allow-lists, removes unsafe fallback resolution, refreshes
generated artifacts, and adds regression tests, or
- TRIAGE.md if this repository does not control an affected PraisonAI runtime.
## Rules
- Scope only CVE-2026-44339 and directly related agent tool-resolution policy.
- Do not execute arbitrary undeclared helper functions to prove impact.
- Do not expose secrets, environment variables, model provider tokens, MCP
configs, tenant data, source archives, or workflow outputs.
- Do not preserve `globals()` or `__main__` fallback for untrusted tool names.
- Do not auto-merge.
## Steps
1. Inventory Python dependencies, lockfiles, notebooks, containers, agents,
workflow configs, examples, and generated artifacts for `PraisonAI` and
`praisonaiagents`.
2. Determine every resolved version. A target is vulnerable if it resolves to
`PraisonAI <4.6.37` or `praisonaiagents <1.6.37`.
3. Search for agent configurations where model output, retrieved content,
workflow files, tenants, users, tools/call requests, or API payloads can
influence the tool name.
4. Upgrade both packages to patched versions and regenerate all lockfiles,
images, SBOMs, dependency reports, and generated docs.
5. If local wrappers, forks, or compatibility code exist, enforce this policy:
- the allowed tool set is explicit and non-null;
- unresolved tool names fail closed;
- no fallback lookup in `globals()` or `__main__`;
- approval prompts cannot approve a tool outside the declared allow-list;
- audit logs record denied tool-name attempts without sensitive arguments.
6. Add regression tests:
- declared tool succeeds;
- undeclared `__main__` callable is denied;
- undeclared global helper is denied;
- default agent has a deny-by-default allow-list;
- error messages do not leak secret arguments.
7. Add a PR body section named `CVE-2026-44339 operator actions` covering:
affected agents, before/after package versions, tool policies changed,
any remaining dynamic tool registry behavior, and monitoring to enable for
denied tool-name attempts.
8. Run validation: dependency install, unit tests, agent/tool tests,
lint/typecheck, container build, SBOM refresh, and dependency scan.
9. Use PR title:
`fix(sec): deny undeclared PraisonAI tool calls`.
## Stop conditions
- No affected PraisonAI or praisonaiagents runtime is controlled by this repo.
- The product intentionally allows model output to call ambient process
functions; document the risk owner and required design decision in TRIAGE.md.
- Verification would require executing dangerous undeclared helpers.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades PraisonAI, requires declared-tool allow-lists, removes unsafe fallback resolution, adds negative tool-call tests, and documents operator cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, tool-resolution boundary, callable exposure, required fix, and residual risk. - The output must include exact validation commands and must not invoke sensitive callables, real tools, production agents, or secrets-bearing code.
Verification - what the reviewer looks for
- Patched PraisonAI and praisonaiagents versions are resolved everywhere.
- Undeclared tool names fail before callable lookup.
- Tests cover
globals()and__main__fallback attempts. - Approval and audit behavior cannot widen the tool boundary.
Watch for
- Agent examples that set
tools=[]but still expect ambient helper access. - Dynamic registries that add tools after review without policy checks.
- Error logs that serialize sensitive tool arguments on denied calls.
Related recipes
- Source code attack surface map
- Source code authz tenant boundary audit
- Source code injection sink audit
- SAST finding triage and fix