CVE-2026-44334: PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)

TL;DR CVE-2026-40287's fix gated tools.py auto-import behind PRAISONAI_ALLOW_LOCAL_TOOLS=true in two files (tool_resolver.py, api/call.py). A third import sink in praisonai/templates/tool_override.py was missed and rema…

8.4CVSS Score

HIGHSeverity

NOCISA KEV

VulnerabilityImpact Type

📋 Vulnerability Details

CVE ID	CVE-2026-44334
Vendor	pip
Affected Product	praisonai
Vulnerability Type	Vulnerability
CVSS Score	8.4 (HIGH)
Actively Exploited	❌ No known exploitation
Patch Status	See Vendor Advisory →
Reported By	CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

TL;DR CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in two files (`tool_resolver.py`, `api/call.py`). A third import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is remotely triggerable through `POST /v1/recipes/run` with a `recipe` value pointing at any local absolute path or any GitHub repo (because `SecurityConfig.allow_any_github` defaults to `True`). The attacker drops a `tools.py` next to `TEMPLATE.yaml`; the server `exec_module()`s it. No auth required by default, no environment opt-in required.

Patch coverage gap CVE-2026-40287 was fixed in v4.5.139 by adding an env-var gate at: | File | Line | Gate |

|---|---|---| |

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-44334 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries

🛡️ Get Detection Pack → 🔌 Access via API →