Skip to main content

Python CVE-2026-39891

| EUVDEUVD-2026-20639 HIGH
Code Injection (CWE-94)
2026-04-08 https://github.com/MervinPraison/PraisonAI GHSA-hwg5-x759-7wjg
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 22, 2026 - 16:52 vuln.today
cvss_changed
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20639
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 19:21 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

Direct insertion of unescaped user input into template-rendering tools allows arbitrary code execution via specially crafted agent instructions.

Details

The create_agent_centric_tools() function returns tools (like acp_create_file) that process file content using template rendering. When user input from agent.start() is passed directly into these tools without escaping (as shown in agent_centric_example.py:85-86), template expressions in the input are executed rather than treated as literal text. This occurs because:

  1. No input sanitization or escaping is applied to user-controlled content
  2. The ACP-enabled runtime auto-approves operations (approval_mode="auto")
  3. Tools lack context-aware escaping for template syntax

PoC

python
# Replace the agent.start() call at line 85 with:
result = agent.start('Create file with content: {{ self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned") }}')

Successful exploitation creates /tmp/pwned confirming arbitrary command execution. The expression {{7*7}} renders as 49 instead of literal text.

Impact

Attackers can execute arbitrary system commands with the privileges of the running process by injecting malicious template expressions through agent instructions. This compromises the host system, enabling data theft, ransomware deployment, or lateral movement.

Recommended Fix

  1. Input Sanitization: Implement strict whitelist validation for file content
  2. Contextual Escaping: Auto-escape template syntax characters (e.g., {{ }}) in user input using Jinja2 autoescape=True
  3. Sandboxing: Restrict template execution environments using secure eval modes
  4. Approval Hardening: Require manual approval for file creation operations in production

AnalysisAI

Template injection in PraisonAI Python package enables remote code execution through unescaped user input in agent-centric tools. Authenticated attackers inject malicious Jinja2 template expressions via agent instructions to execute arbitrary system commands with process privileges. The create_agent_centric_tools() function passes unsanitized user input directly to template-rendering tools under auto-approval mode, causing expressions like {{self.__init__.__globals__.__builtins__.__import__("os").system("touch /tmp/pwned")}} to execute rather than render as literal text. Affects PraisonAI pip package. No public exploit identified at time of analysis beyond proof-of-concept in advisory.

Technical ContextAI

Root cause is CWE-94 code injection through server-side template injection (SSTI) in Jinja2 engine. The acp_create_file tool accepts user-controlled content from agent.start() without escaping template delimiters, while auto-approval mode bypasses runtime validation. Successful exploitation leverages Python introspection (self.__init__.__globals__.__builtins__) to access os.system() through template context, achieving arbitrary command execution within the rendering sandbox.

RemediationAI

Vendor-released patch: upgrade to PraisonAI version 4.5.115 or later per https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115. Immediate mitigation: enable Jinja2 autoescape=True globally in template initialization; implement strict input validation with whitelisting for file content parameters; disable auto-approval mode (set approval_mode to "manual" for production deployments); apply sandboxed template execution using Jinja2 SandboxedEnvironment class to restrict access to dangerous built-ins. For unpatched systems, disable or restrict access to agent-centric tools requiring template rendering. Review application logs for suspicious template expressions containing __init__, __globals__, or __import__ patterns. Consult vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg for additional context and validation testing procedures.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-39891 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy