Plattform
python
Komponente
praisonai
Behoben in
4.5.91
4.5.90
CVE-2026-34939 is a medium-severity Denial of Service (DoS) vulnerability affecting praisonai versions up to 4.5.9. This vulnerability arises from the insecure handling of user-supplied input within the MCPToolIndex.search_tools() function, which directly compiles a caller-supplied string as a Python regular expression without proper validation or timeout mechanisms. Successful exploitation can result in a complete service outage due to catastrophic backtracking within the regular expression engine.
An attacker can trigger this vulnerability by crafting a malicious regular expression and sending it as input to the MCPToolIndex.search_tools() function. The lack of input validation and timeout allows the regular expression engine to enter a state of catastrophic backtracking, consuming excessive CPU resources and effectively freezing the Python thread. This leads to a complete denial of service, rendering the praisonai service unavailable to legitimate users. The blast radius extends to all users relying on the affected praisonai instance, and the impact can be significant, particularly in production environments where service availability is critical. While not directly exploitable for data exfiltration, the DoS can be used as a distraction for other attacks or to disrupt operations.
CVE-2026-34939 was published on 2026-04-01. Its severity is currently assessed as medium. No public proof-of-concept (POC) code has been publicly released as of this writing. The vulnerability's nature (Regex DoS) suggests a potential for automated exploitation, although no active campaigns have been reported. This vulnerability shares similarities with other regex-based DoS attacks, highlighting the importance of secure regular expression handling in all applications.
Exploit-Status
EPSS
0.05% (15% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34939 is to upgrade to praisonai version 4.5.90 or later, which includes the necessary fixes to prevent the vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as rate limiting requests to the MCPToolIndex.search_tools() endpoint. Additionally, implementing input validation and sanitization on the query parameter before it is used to compile the regular expression can help prevent malicious input. Consider using a timeout mechanism when compiling and executing regular expressions to limit the resources consumed by potentially malicious patterns. After upgrading, confirm the fix by attempting to trigger the vulnerability with a known malicious regex and verifying that the service remains responsive.
Actualice PraisonAI a la versión 4.5.90 o posterior para mitigar la vulnerabilidad. Esta versión corrige el problema al validar y sanitizar las cadenas de expresiones regulares proporcionadas por el usuario antes de compilarlas.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34939 is a medium-severity Denial of Service vulnerability in praisonai versions up to 4.5.9. A malicious regular expression can cause catastrophic backtracking, leading to service outages.
You are affected if you are running praisonai version 4.5.9 or earlier. Check your version with praisonai --version.
Upgrade to praisonai version 4.5.90 or later to resolve the vulnerability. Implement temporary workarounds like rate limiting if an immediate upgrade is not possible.
No active exploitation campaigns have been reported as of this writing, but the vulnerability's nature suggests a potential for automated exploitation.
Refer to the praisonai project's official website or security advisories for the latest information and updates regarding CVE-2026-34939.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.