Skip to main content

Python CVE-2026-40287

| EUVDEUVD-2026-22207 HIGH
Code Injection (CWE-94)
2026-04-14 GitHub_M GHSA-g985-wjh9-qxxc
8.4
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.4 HIGH
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

6
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Patch released
Apr 15, 2026 - 02:30 nvd
Patch available
Analysis Generated
Apr 14, 2026 - 04:10 vuln.today
EUVD ID Assigned
Apr 14, 2026 - 04:00 euvd
EUVD-2026-22207
Analysis Generated
Apr 14, 2026 - 04:00 vuln.today
CVE Published
Apr 14, 2026 - 02:55 nvd
HIGH 8.4

DescriptionGitHub Advisory

PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.

AnalysisAI

Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.

Technical ContextAI

PraisonAI is a multi-agent AI teams framework built on Python. The vulnerability stems from CWE-94 (Improper Control of Generation of Code/Code Injection) in three critical components: call.py's import_tools_from_file() function, tool_resolver.py's _load_local_tools() method, and CLI tool-loading initialization paths. These components use Python's dynamic import mechanisms to unconditionally load ./tools.py from the current working directory at application startup. The affected products include both cpe:2.3:a:mervinpraison:praisonai and cpe:2.3:a:mervinpraison:praisonaiagents packages. Python's import system executes module-level code during import operations, meaning any arbitrary Python code placed in tools.py executes immediately within the PraisonAI process context with full interpreter privileges. The lack of path validation, signature verification, sandboxing (via RestrictedPython or similar), or user confirmation transforms a legitimate extensibility feature into an automatic code execution mechanism. This represents a classic confused deputy problem where the application's trust in local filesystem contents is exploited.

RemediationAI

Upgrade immediately to PraisonAI version 4.5.139 or later, which implements validation and sanitization for tools.py imports according to the vendor security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc. For environments unable to patch immediately, implement compensating controls: restrict write permissions on directories where PraisonAI is executed to trusted users only, use read-only mounts for project directories in containerized deployments, implement mandatory code review for all tools.py files before PraisonAI execution, and consider running PraisonAI within isolated virtual environments or containers with minimal filesystem access. Organizations using PraisonAI in CI/CD pipelines should audit all repository contents before automated execution and implement allowlisting for acceptable tools.py sources. Remove or quarantine any untrusted tools.py files from working directories prior to launching PraisonAI.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-40287 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy