PraisonAI Sandbox Bypasses Enabled Arbitrary Code Execution in Agent Python Tools
Two high-severity vulnerabilities in PraisonAI exposed its Python sandbox protections to bypass, allowing arbitrary code execution when untrusted agent code was run. CVE-2026-39888 affected versions prior to 1.5.115 in praisonaiagents.tools.python_tools.execute_code() when sandbox_mode defaulted to sandbox; the subprocess wrapper relied on a restricted __builtins__ dictionary and an incomplete AST blocklist that omitted frame-traversal attributes including __traceback__, tb_frame, f_back, and f_builtins. By catching an exception and traversing frames, an attacker could recover the real Python builtins from the wrapper frame and invoke exec, defeating the intended sandbox restrictions.
A second flaw, CVE-2026-40158, affected PraisonAI versions prior to 4.5.128 in _execute_code_direct within praisonaiagents/tools/python_tools.py. That sandbox used AST filtering to block dangerous Python attributes, but only inspected ast.Attribute nodes and missed dynamic attribute resolution through built-in mechanisms such as type.__getattribute__. Attackers could therefore reach blocked capabilities such as __subclasses__ through a trampoline technique because the string appeared as an ast.Constant rather than an ast.Attribute, undermining the protection model until the vendor patched the issue in 4.5.128.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
PraisonAI fixes AST sandbox bypass in version 4.5.128
PraisonAI disclosed and fixed a separate sandbox bypass vulnerability affecting versions prior to 4.5.128 that could lead to arbitrary code execution when running untrusted agent code. The issue stemmed from incomplete AST filtering that could be bypassed via dynamic attribute resolution such as type.__getattribute__.
PraisonAI fixes sandbox escape in version 1.5.115
A sandbox escape vulnerability affecting PraisonAI versions prior to 1.5.115 was identified in execute_code() in subprocess mode. The flaw allowed recovery of real Python builtins through exception frame traversal, and it was fixed in version 1.5.115.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
CVE-2026-40158 - PraisonAI has Improper Control of Generation of Code ('Code Injection') and Protection Mechanism Failure in praisonai
cvefeed.io
Open sourceCVE-2026-39888 - PraisonAIAgents has a sandbox escape via exception frame traversal in `execute_code` (subprocess mode)
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PraisonAI Flaws Enable Template Injection and Remote Template Code Execution
PraisonAI disclosed two high-severity vulnerabilities affecting its multi-agent teams platform, both tied to unsafe handling of templates. **CVE-2026-39891** affects versions before `4.5.115` and allows template injection through agent tool definitions: the `create_agent_centric_tools()` function returns tools that render file content as templates, so unescaped input supplied via `agent.start()` can cause template expressions to execute rather than be treated as plain text. The flaw is tracked as **CWE-94** and carries a CVSS v3.1 score vector of `AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H`, indicating high impact across confidentiality, integrity, and availability. A second issue, **CVE-2026-40154**, affects versions before `4.5.128` and exposes PraisonAI to remote template code execution through untrusted externally fetched template files. The advisory says the product treated remote templates as trusted executable code without integrity checks, origin validation, or user confirmation, creating a supply-chain attack path for malicious templates. That vulnerability is mapped to **CWE-829** with CVSS v3.1 vector `AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N`. PraisonAI fixed the issues in versions `4.5.115` and `4.5.128`, with GitHub advisories published as **GHSA-hwg5-x759-7wjg** and **GHSA-pv9q-275h-rh7x**.
Apr 10, 2026
PraisonAI flaws allowed auth bypass and second-order SQL injection
PraisonAI, a multi-agent teams platform, disclosed two high-severity vulnerabilities affecting versions before **4.5.97** and **4.5.90**. The more severe issue, tracked as `CVE-2026-34953`, stems from `OAuthManager.validate_token()` returning `True` for tokens missing from its internal store, which is empty by default. That logic flaw lets attackers present arbitrary Bearer tokens to authenticate to the MCP server and gain full access to registered tools and agent capabilities. The vulnerability was classified as **CWE-863** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N`. A second flaw, `CVE-2026-34934`, exposed PraisonAI to second-order SQL injection through `get_all_user_threads`. In affected versions before **4.5.90**, the function constructed raw SQL queries with Python f-strings using unescaped thread IDs previously stored in the database, allowing an attacker to plant a malicious thread ID via `update_thread` and trigger injection when thread lists were loaded. The bug could lead to full database compromise and was classified as **CWE-89** with a CVSS v3.1 vector of `AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`; both issues were addressed in patched releases published through GitHub Security Advisories.
Apr 4, 2026
PraisonAI Authentication Bypass Scanned Within Hours of Disclosure
Threat actors began probing internet-exposed **PraisonAI** instances within **3 hours and 44 minutes** of public disclosure of `CVE-2026-44338`, a missing-authentication flaw in the product’s legacy Flask API server. The vulnerability, tracked in GitHub advisory `GHSA-6rmh-7xcm-cpxj`, affects versions **2.5.6 through 4.6.33** and was fixed in **4.6.34**. Sysdig said the issue stems from authentication being disabled by default in the legacy `api_server.py`, allowing unauthenticated access to protected endpoints including `GET /agents` and `POST /chat`. Sysdig observed scanning from **146.190.133[.]49** using the User-Agent **`CVE-Detector/1.0`**, with activity focused on validating exploitability rather than full hands-on abuse, as no `POST /chat` requests were seen. Even so, exposed deployments could allow attackers to view agent configurations, trigger workflows defined in `agents.yaml`, exhaust model or API quotas, expose data, or execute downstream actions through connected tools. Defenders were urged to upgrade to **PraisonAI 4.6.34 or later**, retire the legacy API server, restrict exposure of **port 8080**, monitor for unauthenticated requests to `/agents` and `/chat`, and review credentials and billing tied to configured agents.
May 15, 2026