CVE-2026-44339 - PraisonAI unsafe tool resolution

PraisonAI’s tool executor could resolve an unresolved tool name against module globals and __main__ after failing to find it in declared tools or the registry. Because the default permission allow-list was unset, an attacker who could influence tool-call names could execute application callables that were never declared as tools.

For agentic systems, this breaks a core review assumption: “not in the tool list” did not mean “not callable.” The prompt below forces the remediation to treat declared tools as the security boundary.

When to use it

Use this recipe when a repository, PraisonAI deployment, or agent runtime maps model-requested tool names to Python callables. It is built for source-code remediation, tool-boundary hardening, unsafe resolution review, and audit evidence that undeclared globals and __main__ callables are not executable through tool calls.

Inputs

  • PraisonAI version, tool registry, default permission allow-list, executor code, agent config, and deployment boundary.
  • Source paths that resolve tool names, fall back to globals or __main__, apply permissions, invoke callables, or serialize tool errors.
  • Regression fixtures for declared tools, undeclared globals, __main__ functions, deny-listed names, permission-less defaults, and expected rejects.
  • Runtime boundary evidence: callable modules, secrets in process memory, filesystem reach, network access, and who can influence tool-call names.

Affected versions

Package Vulnerable versions Fixed versions
PraisonAI <=4.6.36 4.6.37
praisonaiagents <=1.6.36 1.6.37

Indicator-of-exposure

  • The repo installs PraisonAI <4.6.37 or praisonaiagents <1.6.37.
  • Users, tenants, retrieved content, workflow files, or model output can influence tool-call names.
  • Application processes keep privileged helper functions in module globals or __main__.
  • Agents rely on tools=[], declared tool lists, or approval prompts as the only tool boundary.

Quick checks:

rg -n "PraisonAI|praisonaiagents|execute_tool|ToolExecutionMixin|_perm_allow|__main__|globals\\(\\)|tools\\s*=\\s*\\[" .
python -m pip show PraisonAI praisonaiagents
pip freeze | rg -i "praisonai"

Remediation strategy

  • Upgrade PraisonAI to 4.6.37+ and praisonaiagents to 1.6.37+.
  • Treat undeclared tool names as denied by default.
  • Remove fallback resolution through globals() and __main__ for model-influenced tool calls.
  • Require a per-agent allow-list derived from declared tools and registry entries.
  • Add tests that attempt to call undeclared helpers and assert they are denied before any callable lookup happens.

The prompt

You are remediating CVE-2026-44339 in PraisonAI tool execution. Produce exactly
one output:

- A reviewer-ready PR/change request that upgrades affected packages, enforces
  declared-tool allow-lists, removes unsafe fallback resolution, refreshes
  generated artifacts, and adds regression tests, or
- TRIAGE.md if this repository does not control an affected PraisonAI runtime.

## Rules

- Scope only CVE-2026-44339 and directly related agent tool-resolution policy.
- Do not execute arbitrary undeclared helper functions to prove impact.
- Do not expose secrets, environment variables, model provider tokens, MCP
  configs, tenant data, source archives, or workflow outputs.
- Do not preserve `globals()` or `__main__` fallback for untrusted tool names.
- Do not auto-merge.

## Steps

1. Inventory Python dependencies, lockfiles, notebooks, containers, agents,
   workflow configs, examples, and generated artifacts for `PraisonAI` and
   `praisonaiagents`.
2. Determine every resolved version. A target is vulnerable if it resolves to
   `PraisonAI <4.6.37` or `praisonaiagents <1.6.37`.
3. Search for agent configurations where model output, retrieved content,
   workflow files, tenants, users, tools/call requests, or API payloads can
   influence the tool name.
4. Upgrade both packages to patched versions and regenerate all lockfiles,
   images, SBOMs, dependency reports, and generated docs.
5. If local wrappers, forks, or compatibility code exist, enforce this policy:
   - the allowed tool set is explicit and non-null;
   - unresolved tool names fail closed;
   - no fallback lookup in `globals()` or `__main__`;
   - approval prompts cannot approve a tool outside the declared allow-list;
   - audit logs record denied tool-name attempts without sensitive arguments.
6. Add regression tests:
   - declared tool succeeds;
   - undeclared `__main__` callable is denied;
   - undeclared global helper is denied;
   - default agent has a deny-by-default allow-list;
   - error messages do not leak secret arguments.
7. Add a PR body section named `CVE-2026-44339 operator actions` covering:
   affected agents, before/after package versions, tool policies changed,
   any remaining dynamic tool registry behavior, and monitoring to enable for
   denied tool-name attempts.
8. Run validation: dependency install, unit tests, agent/tool tests,
   lint/typecheck, container build, SBOM refresh, and dependency scan.
9. Use PR title:
   `fix(sec): deny undeclared PraisonAI tool calls`.

## Stop conditions

- No affected PraisonAI or praisonaiagents runtime is controlled by this repo.
- The product intentionally allows model output to call ambient process
  functions; document the risk owner and required design decision in TRIAGE.md.
- Verification would require executing dangerous undeclared helpers.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades PraisonAI, requires declared-tool allow-lists, removes unsafe fallback resolution, adds negative tool-call tests, and documents operator cleanup.
  • Or a TRIAGE.md file that lists inspected files, owner, observed version, tool-resolution boundary, callable exposure, required fix, and residual risk.
  • The output must include exact validation commands and must not invoke sensitive callables, real tools, production agents, or secrets-bearing code.

Verification - what the reviewer looks for

  • Patched PraisonAI and praisonaiagents versions are resolved everywhere.
  • Undeclared tool names fail before callable lookup.
  • Tests cover globals() and __main__ fallback attempts.
  • Approval and audit behavior cannot widen the tool boundary.

Watch for

  • Agent examples that set tools=[] but still expect ambient helper access.
  • Dynamic registries that add tools after review without policy checks.
  • Error logs that serialize sensitive tool arguments on denied calls.

References