CVE-2026-39888
published 2026-04-08CVE-2026-39888: PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs…
PriorityP359critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.54%
41.3th percentile
PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonaiagents | < 1.5.115 | 1.5.115 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.115 | 1.5.115 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.40 | 1.6.40 |
| praison | praisonai | < 1.5.115 | 1.5.115 |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ghsa10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
ghsa·2026-05-29·CVSS 10.0
CVE-2026-47392 [CRITICAL] CWE-184 PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents/tools/python_tools.py` (v1.6.37, subprocess sandbox mode) can be fully bypassed using `print.__self__` to retrieve the real Python `builtins` module, from which `__import__` can be extracted via `vars()` and runtime string construction. This achieves arbitrary OS command execution on the host, completely defeating the sandbox.
This is a **novel bypass** that survives all patches for CVE-2026-39888 (frame traversal), CVE-2026-34938 (str subclass), and CVE-2026-40158 (`type.__getattribute__` trampoline).
---
## Severity
**CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.9 Critical**
---
## Root Cause
Three independent ga
GHSA
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
ghsa·2026-04-08
CVE-2026-39888 [CRITICAL] CWE-657 PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents.tools.python_tools` defaults to
`sandbox_mode="sandbox"`, which runs user code in a subprocess wrapped with a
restricted `__builtins__` dict and an AST-based blocklist. The AST blocklist
embedded inside the subprocess wrapper (`blocked_attrs`, line 143 of
`python_tools.py`) contains only 11 attribute names — a strict subset of the 30+
names blocked in the direct-execution path. The four attributes that form a
frame-traversal chain out of the sandbox are all absent from the subprocess list:
| Attribute | In subprocess `blocked_attrs` | In direct-mode `_blocked_attrs` |
|---|---|---|
| `__traceback__` | **NO** | YES |
| `tb_frame` | **NO** | YES |
OSV
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
osv·2026-04-08
CVE-2026-39888 [CRITICAL] PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
PraisonAI has sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
## Summary
`execute_code()` in `praisonaiagents.tools.python_tools` defaults to
`sandbox_mode="sandbox"`, which runs user code in a subprocess wrapped with a
restricted `__builtins__` dict and an AST-based blocklist. The AST blocklist
embedded inside the subprocess wrapper (`blocked_attrs`, line 143 of
`python_tools.py`) contains only 11 attribute names — a strict subset of the 30+
names blocked in the direct-execution path. The four attributes that form a
frame-traversal chain out of the sandbox are all absent from the subprocess list:
| Attribute | In subprocess `blocked_attrs` | In direct-mode `_blocked_attrs` |
|---|---|---|
| `__traceback__` | **NO** | YES |
| `tb_frame` | **NO** | YES |
No detection rules found.
No public exploits indexed.
2026-04-08
Published