Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string '__subclasses__' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.
Published: 2026-04-10
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted code execution within the sandbox
Action: Immediate Patch
AI Analysis

Impact

PraisonAI’s Python sandbox enforces security through AST filtering of attribute access. Prior to version 4.5.128, the filter only examines ast.Attribute nodes, allowing a type.__getattribute__ trampoline to bypass the blacklist. This enables an attacker to inject malicious code via the string '__subclasses__', which is parsed as an ast.Constant and never checked, leading to arbitrary code execution when the sandbox runs untrusted agent code. The weakness maps to CWE‑94 (Code Injection) and CWE‑693 (Improper Control of Generation of Code).

Affected Systems

The vulnerability affects the PraisonAI release maintained by MervinPraison, specifically all versions before 4.5.128. Users running any of these affected builds are at risk if they allow untrusted agents to execute code within the platform.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and while EPSS data is unavailable, the lack of a KEV listing suggests no publicly known widespread exploitation yet. The likely attack vector is the execution of malicious agent code supplied by an adversary, which then bypasses the sandbox and runs arbitrary Python. This could compromise confidentiality, integrity, and availability of the host system if the sandbox is used in a privileged context.

Generated by OpenCVE AI on April 10, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.128 or newer.

Generated by OpenCVE AI on April 10, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-3c4r-6p77-xwr7 PraisonAI Vulnerable to Code Injection and Protection Mechanism Failure
History

Mon, 20 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 10 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string '__subclasses__' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.
Title PraisonAI has Improper Control of Generation of Code ('Code Injection') and Protection Mechanism Failure in praisonai
Weaknesses CWE-693
CWE-94
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-10T18:31:12.440Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40158

cve-icon Vulnrichment

Updated: 2026-04-10T18:31:07.444Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:13.603

Modified: 2026-04-20T19:38:25.277

Link: CVE-2026-40158

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:16Z

Weaknesses