GHSA-GMJG-HV98-QGGQ

Vulnerability from github – Published: 2026-05-11 13:59 – Updated: 2026-05-11 13:59
VLAI?
Summary
PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute
Details

Summary

praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools.

Details

The vulnerable resolution path is in [tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734). After searching declared tools and the registry, execution falls back to globals() and then __main__:

func = None
for tool in self.tools if isinstance(self.tools, (list, tuple)) else []:
    ...

if func is None:
    try:
        from ..tools.registry import get_registry
        registry = get_registry()
        func = registry.get(function_name)
    except ImportError:
        pass

if func is None:
    func = globals().get(function_name)
    if not func:
        import __main__
        func = getattr(__main__, function_name, None)

If a callable is found, it is executed directly:

elif callable(func):
    casted_arguments = self._cast_arguments(func, arguments)
    return func(**casted_arguments)

The permission gate does not enforce a declared-tool allowlist by default. In [tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550), execution is only rejected if _perm_allow is non-None:

if self._perm_deny and function_name in self._perm_deny:
    return {"error": f"Tool '{function_name}' blocked by permission policy", "permission_denied": True}
if self._perm_allow is not None and function_name not in self._perm_allow:
    return {"error": f"Tool '{function_name}' not in allowed tools list", "permission_denied": True}

Default agent initialization sets _perm_allow = None, which means "allow all" rather than "allow only declared tools" in [agent.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749):

self._perm_deny = frozenset()  # Permission tier deny set (empty = no denials)
self._perm_allow = None        # Permission tier allow set (None = allow all)

The project's own tests confirm that default agents have no allowlist and that undeclared custom tool names pass approval:

Empirical verification:

I verified the bypass locally on commit d8a8a786915dc67a7c3021e24f72458f2eac5d9c (v4.6.35) by defining a callable only in __main__, giving the agent an empty tools list, and invoking execute_tool() with that undeclared name. The tool executor ran the __main__ function anyway.

PoC

Environment - Repo: MervinPraison/PraisonAI - Commit: d8a8a786915dc67a7c3021e24f72458f2eac5d9c - Verified against PyPI package versions available on May 3, 2026: - praisonaiagents 1.6.35 - PraisonAI 4.6.35 - Python 3

Steps 1. From the repository root, run:

python3 - <<'PY'
import sys
from unittest.mock import MagicMock, patch

sys.path.insert(0, '/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents')
from praisonaiagents.agent.tool_execution import ToolExecutionMixin

def sneaky(msg='ok'):
    return {'ran': msg}

class HookRunner:
    def execute_sync(self, *args, **kwargs):
        return []
    def is_blocked(self, results):
        return False

class Dummy(ToolExecutionMixin):
    def __init__(self):
        self.name = 'demo'
        self.tools = []
        self.chat_history = []
        self._hook_runner = HookRunner()
        self.context_manager = None
        self._doom_loop_tracker = None
        self._perm_deny = frozenset()
        self._perm_allow = None
        self._approval_backend = None

mock_registry = MagicMock()
mock_registry.approve_sync.return_value = MagicMock(approved=True, reason='mock', modified_args=None)
mock_registry.mark_approved = MagicMock()

with patch('praisonaiagents.approval.get_approval_registry', return_value=mock_registry):
    agent = Dummy()
    print(agent.execute_tool('sneaky', {'msg': 'hello'}))
    print(mock_registry.approve_sync.call_args)
PY

Expected output

{'ran': 'hello'}
call('demo', 'sneaky', {'msg': 'hello'})

The important point is that sneaky was never declared in self.tools and was only present in __main__.

Impact

  • Any deployment that lets an untrusted party influence tool-call names: undeclared application callables can run even though they were never registered as tools.
  • Operators who rely on the declared tool list as a security boundary: that boundary is broken because unresolved names fall through to globals() and __main__.
  • Applications that keep privileged helper functions in process scope: the attacker can reuse those helpers with the application's own privileges, which can lead to unauthorized state changes and, depending on what is loaded, data exposure or command execution.
Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.6.36"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.36"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.37"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44339"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-470"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-11T13:59:17Z",
    "nvd_published_at": "2026-05-08T14:16:46Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`praisonaiagents` resolves unresolved tool names against module globals and `__main__` after it fails to match the declared tool list and the registry. With the default agent configuration, `_perm_allow` is `None`, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools.\n\n### Details\nThe vulnerable resolution path is in [`[tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:734). After searching declared tools and the registry, execution falls back to `globals()` and then `__main__`:\n\n```python\nfunc = None\nfor tool in self.tools if isinstance(self.tools, (list, tuple)) else []:\n    ...\n\nif func is None:\n    try:\n        from ..tools.registry import get_registry\n        registry = get_registry()\n        func = registry.get(function_name)\n    except ImportError:\n        pass\n\nif func is None:\n    func = globals().get(function_name)\n    if not func:\n        import __main__\n        func = getattr(__main__, function_name, None)\n```\n\nIf a callable is found, it is executed directly:\n\n```python\nelif callable(func):\n    casted_arguments = self._cast_arguments(func, arguments)\n    return func(**casted_arguments)\n```\n\nThe permission gate does not enforce a declared-tool allowlist by default. In [`[tool_execution.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/tool_execution.py:550), execution is only rejected if `_perm_allow` is non-`None`:\n\n```python\nif self._perm_deny and function_name in self._perm_deny:\n    return {\"error\": f\"Tool \u0027{function_name}\u0027 blocked by permission policy\", \"permission_denied\": True}\nif self._perm_allow is not None and function_name not in self._perm_allow:\n    return {\"error\": f\"Tool \u0027{function_name}\u0027 not in allowed tools list\", \"permission_denied\": True}\n```\n\nDefault agent initialization sets `_perm_allow = None`, which means \"allow all\" rather than \"allow only declared tools\" in [`[agent.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/praisonaiagents/agent/agent.py:1749):\n\n```python\nself._perm_deny = frozenset()  # Permission tier deny set (empty = no denials)\nself._perm_allow = None        # Permission tier allow set (None = allow all)\n```\n\nThe project\u0027s own tests confirm that default agents have no allowlist and that undeclared custom tool names pass approval:\n\n- [`[test_permissions.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:56)`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/[test_permissions.py](https://github.com/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:142):56) asserts that a default `Agent` has `_perm_allow is None`.\n- [`test_permissions.py`](/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents/tests/unit/test_permissions.py:142) explicitly checks that `agent._check_tool_approval_sync(\"my_custom_tool\", {})` passes for an undeclared tool name.\n\n**Empirical verification:**\n\nI verified the bypass locally on commit `d8a8a786915dc67a7c3021e24f72458f2eac5d9c` (`v4.6.35`) by defining a callable only in `__main__`, giving the agent an empty `tools` list, and invoking `execute_tool()` with that undeclared name. The tool executor ran the `__main__` function anyway.\n\n### PoC\n**Environment**\n- Repo: `MervinPraison/PraisonAI`\n- Commit: `d8a8a786915dc67a7c3021e24f72458f2eac5d9c`\n- Verified against PyPI package versions available on May 3, 2026:\n  - `praisonaiagents` `1.6.35`\n  - `PraisonAI` `4.6.35`\n- Python 3\n\n**Steps**\n1. From the repository root, run:\n\n```bash\npython3 - \u003c\u003c\u0027PY\u0027\nimport sys\nfrom unittest.mock import MagicMock, patch\n\nsys.path.insert(0, \u0027/Users/shmulc/Documents/Codex/2026-05-03/please-go-over-tmp-tp-advisories/repos/PraisonAI/src/praisonai-agents\u0027)\nfrom praisonaiagents.agent.tool_execution import ToolExecutionMixin\n\ndef sneaky(msg=\u0027ok\u0027):\n    return {\u0027ran\u0027: msg}\n\nclass HookRunner:\n    def execute_sync(self, *args, **kwargs):\n        return []\n    def is_blocked(self, results):\n        return False\n\nclass Dummy(ToolExecutionMixin):\n    def __init__(self):\n        self.name = \u0027demo\u0027\n        self.tools = []\n        self.chat_history = []\n        self._hook_runner = HookRunner()\n        self.context_manager = None\n        self._doom_loop_tracker = None\n        self._perm_deny = frozenset()\n        self._perm_allow = None\n        self._approval_backend = None\n\nmock_registry = MagicMock()\nmock_registry.approve_sync.return_value = MagicMock(approved=True, reason=\u0027mock\u0027, modified_args=None)\nmock_registry.mark_approved = MagicMock()\n\nwith patch(\u0027praisonaiagents.approval.get_approval_registry\u0027, return_value=mock_registry):\n    agent = Dummy()\n    print(agent.execute_tool(\u0027sneaky\u0027, {\u0027msg\u0027: \u0027hello\u0027}))\n    print(mock_registry.approve_sync.call_args)\nPY\n```\n\n**Expected output**\n```text\n{\u0027ran\u0027: \u0027hello\u0027}\ncall(\u0027demo\u0027, \u0027sneaky\u0027, {\u0027msg\u0027: \u0027hello\u0027})\n```\n\nThe important point is that `sneaky` was never declared in `self.tools` and was only present in `__main__`.\n\n### Impact\n- **Any deployment that lets an untrusted party influence tool-call names**: undeclared application callables can run even though they were never registered as tools.\n- **Operators who rely on the declared tool list as a security boundary**: that boundary is broken because unresolved names fall through to `globals()` and `__main__`.\n- **Applications that keep privileged helper functions in process scope**: the attacker can reuse those helpers with the application\u0027s own privileges, which can lead to unauthorized state changes and, depending on what is loaded, data exposure or command execution.",
  "id": "GHSA-gmjg-hv98-qggq",
  "modified": "2026-05-11T13:59:17Z",
  "published": "2026-05-11T13:59:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44339"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI has unsafe tool resolution in `ToolExecutionMixin.execute_tool`: undeclared `__main__` callables execute"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.