CVE-2026-40156

| EUVD-2026-21508 HIGH
2026-04-10 GitHub_M GHSA-2g3w-cpc4-chr4
7.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch Released
Apr 10, 2026 - 20:30 nvd
Patch available
EUVD ID Assigned
Apr 10, 2026 - 17:15 euvd
EUVD-2026-21508
Analysis Generated
Apr 10, 2026 - 17:15 vuln.today
CVE Published
Apr 10, 2026 - 16:46 nvd
HIGH 7.8

Tags

RCE Code Injection Praisonai

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.

Analysis

Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Inventory all systems running PraisonAI versions below 4.5.128; disable PraisonAI execution in shared CI/CD pipelines and multi-user development environments pending patch release. Within 7 days: Implement file integrity monitoring on all working directories where PraisonAI operates; restrict write permissions to PraisonAI working directories to authorized users only; conduct audit of recent PraisonAI executions for suspicious tools.py modifications. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +39
POC: 0

Share

CVE-2026-40156 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy