CVE-2026-34939

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.90

Description PraisonAI's MCPToolIndex.search tools() function compiles a caller-supplied string directly as a Python regular expression without validation, sanitization, or a timeout. A crafted regular expression can cause catastrophic backtracking in the re engine, blocking the Python thread for hundreds of seconds and leading to a complete service outage. The function search tools() takes a query directly from the caller without validation and compiles it using re.compile(). This compiled pattern is then used to search tool names and hints. The issue is located in tool index.py lines 365 to 368.

Recommendations Update PraisonAI to version 4.5.90 or later.