What is the CVSS score of CVE-2026-40156?

CVE-2026-40156 has a CVSS 3.1 base score of 7.8 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of PraisonAI are affected by CVE-2026-40156?

PraisonAI versions prior to 4.5.128 contain an arbitrary code execution vulnerability that allows attackers to execute malicious code through a crafted tools.py file in the working directory, posing…. A patch is available.

PraisonAI CVE-2026-40156

EUVD-2026-21508 HIGH

Code Injection (CWE-94)

2026-04-10 GitHub_M

GHSA-2g3w-cpc4-chr4

RCE Code Injection

7.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 20:07 vuln.today

cvss_changed

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 10, 2026 - 17:15 euvd

EUVD-2026-21508

Analysis Generated

Apr 10, 2026 - 17:15 vuln.today

CVE Published

Apr 10, 2026 - 16:46 nvd

HIGH 7.8

DescriptionNVD

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.

AnalysisAI

Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. …

RemediationAI

Within 24 hours: Inventory all systems running PraisonAI versions below 4.5.128; disable PraisonAI execution in shared CI/CD pipelines and multi-user development environments pending patch release. Within 7 days: Implement file integrity monitoring on all working directories where PraisonAI operates; restrict write permissions to PraisonAI working directories to authorized users only; conduct audit of recent PraisonAI executions for suspicious tools.py modifications. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-40156 vulnerability details – vuln.today

Back

PraisonAI CVE-2026-40156

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code