Description
PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.
Published: 2026-04-08
Score: 10 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

PraisonAIAgents includes a sandbox escape flaw in its execute_code method when operating in subprocess mode. The method runs user code in a restricted subprocess with a limited __builtins__ dictionary and an abstract syntax tree blocklist. In the vulnerability, four attribute names that enable frame traversal are omitted from the subprocess blocklist. By chaining these attributes through a caught exception, a malicious caller can surface the real Python builtins dictionary of the wrapper frame, retrieve the exec function under an unblocked name, and thereby execute arbitrary code, bypassing all remaining security controls. The weakness is classified as CWE‑657 and CWE‑693.

Affected Systems

MervinPraison’s PraisonAI agents, version 1.5.115 and earlier, are affected. No other vendors or product versions are listed in the advisory.

Risk and Exploitability

The base CVSS score is 10, indicating maximum severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can supply code to execute_code—such as through an exposed API, plugin interface, or other code payload mechanism—can trigger the exception chain without requiring elevated system privileges. This makes exploitation relatively straightforward for any user with access to the vulnerable function.

Generated by OpenCVE AI on April 8, 2026 at 23:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to PraisonAIAgents version 1.5.115 or later
  • If an upgrade is not immediately possible, disable or remove any use of python_tools.execute_code in subprocess mode
  • Ensure that all interfaces that invoke execute_code are protected by strong authentication and authorization controls
  • Monitor logs for abnormal exception patterns that may indicate abuse of the sandbox escape

Generated by OpenCVE AI on April 8, 2026 at 23:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qf73-2hrx-xprp PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
History

Wed, 15 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonaiagents

Wed, 08 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.
Title PraisonAIAgents has a sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
Weaknesses CWE-657
CWE-693
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonaiagents
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-09T20:21:16.297Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39888

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-04-08T21:17:00.990

Modified: 2026-04-15T18:02:58.940

Link: CVE-2026-39888

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:27:15Z

Weaknesses