CVE-2026-61437 in PraisonAIinfo

Summary

by MITRE • 07/10/2026

PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow._resolve_pydantic_class (src/praisonai-agents/praisonaiagents/workflows/workflows.py). When a workflow step uses a string output_pydantic reference, the framework locates and imports a sibling tools.py from the workflow file's directory via importlib exec_module without sandboxing, ignoring the PRAISONAI_ALLOW_*_TOOLS environment variables. An attacker who controls a workflow file and its sibling tools.py can execute arbitrary Python code with the workflow runner's privileges when the workflow is executed via WorkflowManager or after load_yaml.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/10/2026

The vulnerability in PraisonAI agents version 1.6.78 and earlier represents a critical unsafe dynamic module loading flaw that directly impacts the security posture of any system utilizing this framework for automated workflow execution. This issue stems from the AgentFlow._resolve_pydantic_class function in workflows.py which improperly handles string references to pydantic classes, creating an attack vector where malicious actors can manipulate workflow execution through carefully crafted inputs.

The technical implementation of this vulnerability involves the framework's use of importlib exec_module without proper sandboxing mechanisms when processing sibling tools.py files located in the same directory as workflow definitions. This design choice allows arbitrary code execution during workflow loading phases, specifically when WorkflowManager or load_yaml functions are invoked to process maliciously crafted workflow files. The flaw occurs because the system ignores environment variables such as PRAISONAI_ALLOW_TOOLS and PRAISONAI_ALLOW_CUSTOM_TOOLS that are intended to control which external modules can be loaded, effectively bypassing any intended access controls.

From a cybersecurity perspective, this vulnerability aligns with CWE-470: "Use of Externally-Controlled Input to Select Classes or Code" and represents a direct violation of the principle of least privilege. The attack surface is particularly concerning because it allows remote code execution with the privileges of the workflow runner process, potentially enabling attackers to escalate their access within the system. This vulnerability can be exploited through various means including compromised workflow files, malicious third-party integrations, or supply chain attacks targeting the package distribution channels.

The operational impact of this vulnerability extends beyond immediate code execution capabilities to encompass potential data breaches, system compromise, and unauthorized access to sensitive information. An attacker who successfully exploits this vulnerability could gain complete control over the workflow execution environment, potentially accessing other system resources, exfiltrating data, or establishing persistent access points. The risk is amplified by the fact that this vulnerability can be triggered during normal workflow loading operations, making detection and prevention particularly challenging for security monitoring systems.

Mitigation strategies should focus on immediate package updates to version 1.6.78 or later where the unsafe dynamic loading has been addressed through proper sandboxing mechanisms and enforcement of environment-based access controls. Organizations should also implement network segmentation and access controls to limit which systems can execute potentially compromised workflows, while conducting thorough security reviews of any custom workflow definitions that may have been loaded into production environments. Additionally, implementing runtime monitoring for suspicious import behaviors and establishing secure coding practices for workflow definition files can help detect and prevent exploitation attempts. This vulnerability demonstrates the critical importance of validating external inputs and implementing proper code isolation mechanisms when dealing with dynamic module loading in security-sensitive applications, as outlined in the ATT&CK framework's techniques related to privilege escalation and code injection attacks.

Responsible

VulnCheck

Reservation

07/09/2026

Disclosure

07/10/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!