Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.
Published: 2026-04-10
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

PraisonAI automatically loads and executes a file named tools.py from the current working directory during startup. The loader uses importlib.util.spec_from_file_location and runs module‑level code without any user consent, validation, or sandboxing. Because the file is loaded implicitly and even if it is not referenced in configuration files, placing a malicious tools.py in the working directory is sufficient to trigger code execution. This behavior breaks the expected security boundary between user‑controlled project files and executable code.

Affected Systems

The vulnerability applies to MervinPraison’s PraisonAI product in all releases prior to version 4.5.128. Users running any older version are exposed when a tools.py file exists in the directory where PraisonAI is executed.

Risk and Exploitability

The CVSS score of 7.8 indicates high severity. No EPSS score is reported, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the ability to place a tools.py file in the working directory, such as through compromised write permissions or insecure CI/CD configurations. The combination of a high CVSS rating and the potential for automated code execution makes this a notable risk that demands timely remediation.

Generated by OpenCVE AI on April 10, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.128 or later to stop the automatic execution of tools.py.

Generated by OpenCVE AI on April 10, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g3w-cpc4-chr4 PraisonAI Vulnerable to Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
History

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.
Title PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading
Weaknesses CWE-426
CWE-829
CWE-94
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:51.249Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40156

cve-icon Vulnrichment

Updated: 2026-04-13T15:25:18.104Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:13.297

Modified: 2026-04-20T19:56:07.327

Link: CVE-2026-40156

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:18Z

Weaknesses