Technical description
A cluster of four Critical and High severity vulnerabilities were disclosed in PraisonAI, an open-source multi-agent teams system. CVE-2026-41497 (CVSS 9.8) allows arbitrary command execution through MCP command handling without allowlists or argument validation. CVE-2026-44336 (CVSS 9.6) enables arbitrary file read/write via path traversal in MCP file-handling tools. CVE-2026-44334 (CVSS 8.4) bypasses CVE-2026-40287's fix by exploiting a missed import sink. CVE-2026-44339 (CVSS 8.6) allows arbitrary code execution through unvalidated tool-name resolution against module globals.
Attack vector
An attacker can craft malicious MCP commands or tool invocations that exploit inadequate input validation across PraisonAI's agent orchestration layer. For example, CVE-2026-41497 allows passing executables like bash or python with inline code-execution flags directly through parse_mcp_command(). CVE-2026-44336 accepts unsanitized file paths in praisonai.rules.create and similar tools, enabling directory traversal and arbitrary file operations.
Affected systems
PraisonAI versions prior to 4.6.9 (CVE-2026-41497), 4.6.32 (CVE-2026-44334), 4.6.34 (CVE-2026-44336), and 4.6.37 (CVE-2026-44339). PraisonAI is used in research and enterprise prototypes for multi-agent coordination and workflow automation.
Mitigation
Upgrade to the latest PraisonAI versions: 4.6.9+ for CVE-2026-41497, 4.6.32+ for CVE-2026-44334, 4.6.34+ for CVE-2026-44336, and 4.6.37+ for CVE-2026-44339. Organizations using PraisonAI in production should conduct immediate security reviews of agent-accessible tools and file-system paths, enforce strict allowlists for MCP commands, and sandbox agent execution environments.