Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.
AnalysisAI
Arbitrary code execution occurs in PraisonAI (all versions prior to 4.5.128) when a malicious tools.py file exists in the working directory. The framework automatically imports and executes this file during startup without validation or user consent, enabling unauthenticated local attackers to execute arbitrary Python code by placing a weaponized tools.py in directories accessed by users or CI/CD pipelines. User interaction is required (running praisonai command). No public exploit identified at time of analysis.
Technical ContextAI
Vulnerability stems from unsafe use of importlib.util.spec_from_file_location() combined with spec.loader.exec_module() to load tools.py from current working directory. Module-level code executes immediately during import without sandboxing, validation, or explicit user authorization. CWE-94 code injection via implicit trust of working directory contents violates principle of least privilege for filesystem resources.
RemediationAI
Vendor-released patch: upgrade to PraisonAI version 4.5.128 or later, which addresses the unsafe automatic loading of tools.py files. Organizations should audit CI/CD pipelines and shared development environments for untrusted tools.py files introduced through supply chain or repository compromise. As immediate mitigation prior to patching, restrict write access to working directories where praisonai executes, implement filesystem monitoring for unexpected tools.py creation, and review existing tools.py files for malicious code. Full technical details and vendor advisory: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2g3w-cpc4-chr4
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21508
GHSA-2g3w-cpc4-chr4