CVE-2026-47398: PraisonAI Code Injection via Unguarded exec_module

Q: What is CVE-2026-47398?

CVE-2026-47398 is a high-severity code-injection vulnerability (CWE-94) in PraisonAI. Two unguarded spec.loader.exec_module call sites in agents_generator.py accept module_path from YAML configuration without validation and without the PRAISONAI_ALLOW_LOCAL_TOOLS check applied to other functions in v4.6.32, executing code from user-controlled paths during tool registry construction.

Q: What is the impact of CVE-2026-47398?

Arbitrary code execution with process privileges. Because the vulnerable path runs during tool registry construction before any LLM interaction, no API keys are needed, and with default recipe server settings no authentication is required. CVSS 8.1 High.

Summary

CVE-2026-47398 is a high-severity (CVSS 8.1) code-injection vulnerability in PraisonAI. Two unguarded spec.loader.exec_module call sites in agents_generator.py accept module_path parameters from YAML configuration without validation, and without the PRAISONAI_ALLOW_LOCAL_TOOLS environment-variable check that was applied to other vulnerable functions in v4.6.32.

These functions execute code from user-controlled paths during tool registry construction — before any security validation occurs, and before any LLM interaction.

Impact

Arbitrary code execution with the process's privileges (CWE-94 / CWE-426 / CWE-829). When combined with the recipe server's default settings, exploitation requires no authentication. Because the code path runs before any LLM interaction, an attacker does not need valid API keys — the malicious module_path in a YAML recipe is enough.

Resolution

Upgrade to PraisonAI 4.6.40 or later, which extends the allow-local-tools guard to the previously-unprotected exec_module call sites. For reviewers: when a guard is added in response to one finding (here, the v4.6.32 PRAISONAI_ALLOW_LOCAL_TOOLS check), every sibling call site that reaches the same dangerous primitive must be enumerated and gated too — a partial fix leaves the same primitive reachable by another door.

References

Vendor Advisory (GHSA)↗SnailSploit Advisory↗MITRE↗NVD↗

Disclosure

Reported by Kai Aizen & Avraham Shemesh (SnailSploit). Status: Published. Coordinated with the PraisonAI maintainer; fixed in 4.6.40. See also the companion finding CVE-2026-47393 (auth disabled by default).

Frequently asked

CVE-2026-47398 — questions & answers

What is CVE-2026-47398?

A high-severity code-injection vulnerability (CWE-94) in PraisonAI. Two unguarded spec.loader.exec_module call sites in agents_generator.py accept module_path from YAML without validation and without the PRAISONAI_ALLOW_LOCAL_TOOLS check applied to other functions in v4.6.32 — executing code from user-controlled paths during tool registry construction.

Am I affected by CVE-2026-47398?

You are affected if you run PraisonAI between 2.0.0 and 4.6.39 and process YAML recipes from untrusted sources. With the recipe server's default settings, exploitation requires no authentication.

How do I fix CVE-2026-47398?

Upgrade to PraisonAI 4.6.40 or later, which extends the allow-local-tools guard to the previously unprotected exec_module call sites. Until then, do not load YAML recipes from untrusted sources.

What is the impact of CVE-2026-47398?

Arbitrary code execution with process privileges. The path runs during tool registry construction before any LLM interaction, so no API keys are needed; with default recipe server settings no authentication is required. CVSS 8.1 High.

Where can I find authoritative references?

The PraisonAI GitHub Security Advisory GHSA-78r8-wwqv-r299, the MITRE CVE record for CVE-2026-47398, and the NVD detail page once published.