CVE-2026-34939
published 2026-04-03CVE-2026-34939: PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular…
PriorityP340high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.40%
32.0th percentile
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, MCPToolIndex.search_tools() compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and causing a complete service outage. This issue has been patched in version 4.5.90.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.90 | 4.5.90 |
| mervinpraison | praisonai | >= 0 < 4.5.90 | 4.5.90 |
| praison | praisonai | < 4.5.90 | 4.5.90 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
osv·2026-04-01
CVE-2026-34939 [MEDIUM] PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
### Summary
`MCPToolIndex.search_tools()` compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the `re` engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.
### Details
`tool_index.py:365` (source) -> `tool_index.py:368` (sink)
```python
# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
import re
# sink -- compiled and applied with no timeout or exception handling
pattern = re.compile(query, re.IGNORECASE)
for tool in self.get_all_tools():
if pattern.search(tool.name) or pa
GHSA
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
ghsa·2026-04-01
CVE-2026-34939 [MEDIUM] CWE-1333 PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
PraisonAI Has ReDoS via Unvalidated User-Controlled Regex in MCPToolIndex.search_tools()
### Summary
`MCPToolIndex.search_tools()` compiles a caller-supplied string directly as a Python regular expression with no validation, sanitization, or timeout. A crafted regex causes catastrophic backtracking in the `re` engine, blocking the Python thread for hundreds of seconds and causing a complete service outage.
### Details
`tool_index.py:365` (source) -> `tool_index.py:368` (sink)
```python
# source -- query taken directly from caller, no validation
def search_tools(self, query: str) -> List[ToolInfo]:
import re
# sink -- compiled and applied with no timeout or exception handling
pattern = re.compile(query, re.IGNORECASE)
for tool in self.get_all_tools():
if pattern.search(tool.name) or pa
No detection rules found.
No public exploits indexed.
2026-04-03
Published