CRITICAL🇵🇱 Wersja polska

CVE-2026-39888

CVSS 9.9v3.1pub. 2026-04-08upd. 2026-04-15

PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.

🤖 AI Analysis
How it works

The `execute_code()` function in `praisonaiagents.tools.python_tools` executes user code in a subprocess with a restricted `__builtins__` dictionary and AST-based blocking. The list of blocked attributes in this subprocess contains only 11 names — significantly fewer than the 30+ blocked in the direct execution path. Four key attributes for stack frame traversal (`__traceback__`, `tb_frame`, `f_back`, `f_builtins`) are completely absent from the subprocess blocklist. An attacker can chain them through exception handling, gaining access to the actual `builtins` dictionary of the wrapper frame, and then retrieve and invoke `exec` under an unblocked variable name — bypassing all remaining security layers.

Impact

An attacker with basic access (low privileges) can execute arbitrary code in the context of the host process, gaining full control over confidentiality, integrity, and availability of the system, including the ability for lateral movement in multi-tenant environments.

Mitigation & patch

PraisonAI must be updated to version 1.5.115 or later, in which the vulnerability has been fixed. According to vendor references, the patch is available in the official GitHub repository of the project.

Who is affected

PraisonAI (Praison Praisonai) in versions prior to 1.5.115

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Praison Praisonai

    APP
    Praison
    < 1.5.115
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-44336CRITICAL9.4PL ✓ten sam produkt

Path Traversal i RCE w PraisonAI MCP Server (serwer narzędzi plikowych)

CVE-2026-41497CRITICAL9.8PL ✓ten sam produkt

Command Injection w PraisonAI — brak walidacji poleceń MCP

CVE-2026-40313CRITICAL9.1PL ✓ten sam produkt

PraisonAI – wyciek tokenów GitHub przez atak ArtiPACKED w CI/CD

CVE-2026-40288CRITICAL9.8PL ✓ten sam produkt

PraisonAI — RCE i command injection przez niezaufowane pliki YAML

CVE-2026-40289CRITICAL9.1PL ✓ten sam produkt

PraisonAI – nieuwierzytelnione przejęcie sesji przeglądarki przez WebSocket