Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionGitHub Advisory
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
AnalysisAI
Arbitrary Python code execution in PraisonAI ≤4.5.138 occurs when malicious tools.py files are automatically imported from the current working directory without validation. Attackers placing a crafted tools.py in shared projects, cloned repositories, or writable workspaces achieve immediate code execution with full process privileges upon PraisonAI startup. EPSS data not available, but the local attack vector (AV:L) requiring no privileges (PR:N) or user interaction (UI:N) enables exploitation through supply chain and workspace poisoning attacks. No public exploit identified at time of analysis, though the vulnerability is trivial to exploit given the straightforward code injection mechanism.
Technical ContextAI
PraisonAI is a multi-agent AI teams framework built on Python. The vulnerability stems from CWE-94 (Improper Control of Generation of Code/Code Injection) in three critical components: call.py's import_tools_from_file() function, tool_resolver.py's _load_local_tools() method, and CLI tool-loading initialization paths. These components use Python's dynamic import mechanisms to unconditionally load ./tools.py from the current working directory at application startup. The affected products include both cpe:2.3:a:mervinpraison:praisonai and cpe:2.3:a:mervinpraison:praisonaiagents packages. Python's import system executes module-level code during import operations, meaning any arbitrary Python code placed in tools.py executes immediately within the PraisonAI process context with full interpreter privileges. The lack of path validation, signature verification, sandboxing (via RestrictedPython or similar), or user confirmation transforms a legitimate extensibility feature into an automatic code execution mechanism. This represents a classic confused deputy problem where the application's trust in local filesystem contents is exploited.
RemediationAI
Upgrade immediately to PraisonAI version 4.5.139 or later, which implements validation and sanitization for tools.py imports according to the vendor security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc. For environments unable to patch immediately, implement compensating controls: restrict write permissions on directories where PraisonAI is executed to trusted users only, use read-only mounts for project directories in containerized deployments, implement mandatory code review for all tools.py files before PraisonAI execution, and consider running PraisonAI within isolated virtual environments or containers with minimal filesystem access. Organizations using PraisonAI in CI/CD pipelines should audit all repository contents before automated execution and implement allowlisting for acceptable tools.py sources. Remove or quarantine any untrusted tools.py files from working directories prior to launching PraisonAI.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22207
GHSA-g985-wjh9-qxxc