CVE-2026-34938
published 2026-04-03CVE-2026-34938: PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer…
PriorityP266critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.71%
48.7th percentile
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 1.5.90 | 1.5.90 |
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.90 | 1.5.90 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.40 | 1.6.40 |
| praison | praisonaiagents | < 1.5.90 | 1.5.90 |
CVSS provenance
nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
ghsa·2026-05-29·CVSS 10.0
CVE-2026-47392 [CRITICAL] CWE-184 PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string construction. This achieves arbitrary OS command execution on the host, completely defeating the sandbox.
This is a **novel bypass** that survives all patches for CVE-2026-39888 (frame traversal), CVE-2026-34938 (str subclass), and CVE-2026-40158 (`type.__getattribute__` trampoline).
---
## Severity
**CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.9 Critical**
---
## Root Cause
Three independent ga
GHSA
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
ghsa·2026-04-01
CVE-2026-34938 [CRITICAL] CWE-693 PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
### Summary
`execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host.
### Details
`python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink)
```python
# source -- _safe_getattr accepts any str subclass
def _safe_getattr(obj, name, *default):
if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses
raise AttributeError(...)
# hop -- type() is whitelisted in safe_builtins, creates str subclass without class key
OSV
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
osv·2026-04-01
CVE-2026-34938 [CRITICAL] PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code
### Summary
`execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host.
### Details
`python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink)
```python
# source -- _safe_getattr accepts any str subclass
def _safe_getattr(obj, name, *default):
if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses
raise AttributeError(...)
# hop -- type() is whitelisted in safe_builtins, creates str subclass without class key
No detection rules found.
No public exploits indexed.
2026-04-03
Published