CVE-2026-4965
Received Received - Intake
Improper Neutralization in letta-ai resolve_type Enables Remote Code Execution

Publication date: 2026-03-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results in improper neutralization of directives in dynamically evaluated code. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-27
Last Modified
2026-04-29
Generated
2026-05-27
AI Q&A
2026-03-27
EPSS Evaluated
2026-05-25
NVD
CVE-2026-4965
EUVD
EUVD-2026-16736
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
letta letta 0.16.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-4965 is a critical Remote Code Execution (RCE) vulnerability in the Letta AI platform (versions up to 0.16.4). It arises from an unsafe fallback to Python's eval() function during type annotation coercion in the function resolve_type within letta/functions/ast_parsers.py.

The vulnerability occurs because when the safe Abstract Syntax Tree (AST) based resolver fails to parse certain type annotations, the code falls back to using eval() with a namespace exposing all built-in Python functions, including powerful ones like __import__, exec, and open. This fallback is hardcoded to be enabled in all sandboxed execution paths, allowing an attacker to execute arbitrary code.

An unauthenticated attacker can exploit this by submitting a malicious Python tool with crafted type annotations via the API endpoint POST /v1/tools/run, which leads to execution of arbitrary OS commands on the server before any legitimate tool code runs.


How can this vulnerability impact me? :

This vulnerability allows full Remote Code Execution on the Letta server with root privileges in the default local sandbox.

  • An attacker can execute arbitrary OS commands remotely without authentication.
  • Attackers can read sensitive data such as API keys and passwords.
  • It enables attackers to pivot within internal networks, install backdoors, and exfiltrate data.

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for suspicious API requests to the Letta AI platform, specifically POST requests to the endpoint /v1/tools/run containing malicious Python type annotations that exploit the unsafe eval fallback.

A practical detection method is to look for unusual files created by exploitation attempts, such as the file /tmp/pwned, which is created by the proof of concept exploit.

Example command to detect the presence of the exploit file on the server:

  • ls -l /tmp/pwned

Example command to monitor network traffic for suspicious POST requests to the vulnerable endpoint (using tcpdump or similar):

  • tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/v1/tools/run'

Additionally, inspecting logs for unusual or unexpected Python type annotations containing code execution patterns (e.g., __import__, os.popen) can help identify exploitation attempts.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include restricting access to the Letta AI platform API, especially the POST /v1/tools/run endpoint, to trusted users or internal networks only.

If possible, disable or restrict the use of unsafe eval in the codebase, although the current version hardcodes allow_unsafe_eval=True in all sandboxed execution paths with no configuration to disable it.

Monitor and block suspicious requests containing malicious type annotations that attempt to execute arbitrary code.

Apply network-level protections such as firewalls or API gateways to limit exposure.

Since no patched versions are available at the time of the report, consider isolating the affected system and preparing for an update once a fix is released.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability CVE-2026-4965 allows unauthenticated remote code execution with root privileges on the Letta AI platform server. This can lead to unauthorized access to sensitive data such as API keys and passwords, installation of backdoors, and data exfiltration.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls to prevent unauthorized access and data leakage.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive data, leading to violations of regulatory requirements and potential legal and financial consequences.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart