CVE-2026-40287
published 2026-04-14CVE-2026-40287: PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a…
PriorityP349high8.4CVSS 3.1
AVLACLPRNUINSUCHIHAH
EPSS
0.25%
15.8th percentile
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | — | — |
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonai | >= 0 < 4.6.59 | 4.6.59 |
| mervinpraison | praisonai | >= 0 < 4.5.139 | 4.5.139 |
| mervinpraison | praisonai | >= 4.5.139 < 4.6.32 | 4.6.32 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.140 | 1.5.140 |
| praison | praisonai | < 4.5.139 | 4.5.139 |
| praison | praisonai | >= 4.5.139 < 4.6.32 | 4.6.32 |
| praison | praisonaiagents | < 1.5.140 | 1.5.140 |
CVSS provenance
nvdv3.18.4HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
ghsa8.4HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
ghsa·2026-06-18
CVE-2026-40287 [CRITICAL] CWE-306 PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
# praisonai: Jobs API exposes agent-execution endpoints with no authentication
**Researcher:** Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research
**Target:** https://github.com/MervinPraison/PraisonAI
---
**Package:** `praisonai` on PyPI
**Affected version (empirically tested):** 4.6.48
**Components:**
- `praisonai.jobs.server.create_app` — `praisonai/jobs/server.py`
- `praisonai.jobs.router.create_router` — `praisonai/jobs/router.py`
- Routes mounted at `/api/v1/runs/...`
**Weakness:** CWE-306 Missing Authentication for Critical Function · CWE-862 Missing Authorization · CWE-94 Code Injection (via prompt / agent_yaml).
---
## TL;DR
`praisonai` ships a standalone async-jobs HT
GHSA
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
ghsa·2026-05-29·CVSS 7.8
CVE-2026-47398 [HIGH] CWE-829 PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
PraisonAI: Arbitrary code execution via unguarded `spec.loader.exec_module` in `agents_generator.py` - sibling of CVE-2026-44334
Arbitrary code execution via ungated spec.loader.exec_module in agents_generator.py (v4.6.32 chokepoint refactor bypass)
Summary
The v4.6.32 chokepoint refactor (which patched CVE-2026-44334 / GHSA-xcmw-grxf-wjhj) added the PRAISONAI_ALLOW_LOCAL_TOOLS env-var gate to the tool_override.py sinks. However, two additional spec.loader.exec_module call sites in praisonai/agents_generator.py were missed and remain completely unguarded on current master (v4.6.37). Both functions accept a module_path parameter sourced from YAML configuration and execute it without validation, signature checking, or the env-var gate.
Patch lineage
CVE | GHSA | Fixed in | What was patched
GHSA
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
ghsa·2026-05-06·CVSS 8.4
CVE-2026-44334 [HIGH] CWE-94 PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
PraisonAI has unauthenticated RCE via `tool_override.py` (CVE-2026-40287 patch bypass)
## TL;DR
CVE-2026-40287's fix gated `tools.py` auto-import behind `PRAISONAI_ALLOW_LOCAL_TOOLS=true` in **two** files (`tool_resolver.py`, `api/call.py`). A **third** import sink in `praisonai/templates/tool_override.py` was missed and remains unguarded. It is reached by the recipe runner on every recipe execution and is **remotely** triggerable through `POST /v1/recipes/run` with a `recipe` value pointing at any local absolute path *or* any GitHub repo (because `SecurityConfig.allow_any_github` defaults to `True`). The attacker drops a `tools.py` next to `TEMPLATE.yaml`; the server `exec_module()`s it. No auth required by default, no environment opt-in required.
## Patch coverage gap
CVE-2026-40287
GHSA
PraisonAI Vulnerable to RCE via Automatic tools.py Import
ghsa·2026-04-10
CVE-2026-40287 [HIGH] CWE-426 PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI Vulnerable to RCE via Automatic tools.py Import
PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.
A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.
### Affected Code
- call.py → `import_tools_from_file()`
- tool_resolver.py → `_load_local_tools()`
- tools.py → local tool import flow
-
### PoC
Create tools.py in the directory where PraisonAI is launched:
```python
# tools.py
import os
os.system("echo pwned > /tmp/pwned.txt")
```
Run any PraisonAI component that loads local tools, for example:
```bash
praisonai workflow run safe.yaml
```
###
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-14
Published