Remote Code Execution in PraisonAI Versions 4.5.139 to 4.6.32
CVE-2026-44334

8.4HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 8 May 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-44334?

The PraisonAI multi-agent system has a vulnerability that stems from improper validation of imports in its tool execution framework. Specifically, versions 4.5.139 through 4.6.31 fail to properly guard a crucial import mechanism in 'tool_override.py', allowing attackers to execute arbitrary code remotely. By utilizing the recipe runner mechanism and crafting a malicious recipe that points to local paths or compromised GitHub repositories, an attacker can bypass authentication requirements and potentially execute harmful code on the server.

Affected Version(s)

PraisonAI >= 4.5.139, < 4.6.32

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 8, 2026
Vulnerability Reserved
May 5, 2026

CVE-2026-44334 Data

JSON