Description
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
Published: 2026-04-14
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an attacker who can write a file to the directory where PraisonAI is launched to place a malicious tools.py file. PraisonAI imports this file automatically at startup without validation, sandboxing, or user confirmation, enabling the execution of arbitrary Python code. This leads to full compromise of the PraisonAI process, the host system, and any stored credentials or data. The weakness maps to CWE-426 (Untrusted Search Path) and CWE-94 (Code Injection).

Affected Systems

The affected products are MervinPraison PraisonAI and MervinPraison praionaiagents. Versions 4.5.138 and earlier are vulnerable; the issue was fixed in version 4.5.139.

Risk and Exploitability

The CVSS score of 8.4 indicates a high severity. Although an EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the exploitation risk remains significant in environments where an attacker can write to the application’s launch directory—such as shared workspaces, cloned repositories, or writable build environments. Successful exploitation results in immediate arbitrary code execution with full permissions of the host process.

Generated by OpenCVE AI on April 14, 2026 at 05:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI and praionaiagents to version 4.5.139 or later.
  • Remove or rename any tools.py file from the directory where the application is started.
  • Restrict write permissions on the launch directory to prevent unauthorized file placement.
  • Verify that startup scripts or configuration files do not automatically import local files without validation.

Generated by OpenCVE AI on April 14, 2026 at 05:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g985-wjh9-qxxc PraisonAI Vulnerable to RCE via Automatic tools.py Import
History

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*
Vendors & Products Praison
Praison praisonai
Praison praisonaiagents

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents

Tue, 14 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
Title PraisonAI has RCE via Automatic tools.py Import
Weaknesses CWE-426
CWE-94
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai Praisonaiagents
Praison Praisonai Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T13:23:29.807Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40287

cve-icon Vulnrichment

Updated: 2026-04-14T13:23:12.078Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T04:17:11.977

Modified: 2026-04-20T17:47:31.400

Link: CVE-2026-40287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:56Z

Weaknesses