Executive Summary

CVE-2026-4965 is a critical Remote Code Execution (RCE) vulnerability in the Letta AI platform (versions up to 0.16.4). It arises from an unsafe fallback to Python's eval() function during type annotation coercion in the function resolve_type within letta/functions/ast_parsers.py.

The vulnerability occurs because when the safe Abstract Syntax Tree (AST) based resolver fails to parse certain type annotations, the code falls back to using eval() with a namespace exposing all built-in Python functions, including powerful ones like __import__, exec, and open. This fallback is hardcoded to be enabled in all sandboxed execution paths, allowing an attacker to execute arbitrary code.

An unauthenticated attacker can exploit this by submitting a malicious Python tool with crafted type annotations via the API endpoint POST /v1/tools/run, which leads to execution of arbitrary OS commands on the server before any legitimate tool code runs.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability CVE-2026-4965 allows unauthenticated remote code execution with root privileges on the Letta AI platform server. This can lead to unauthorized access to sensitive data such as API keys and passwords, installation of backdoors, and data exfiltration.

Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information and mandate controls to prevent unauthorized access and data leakage.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of sensitive data, leading to violations of regulatory requirements and potential legal and financial consequences.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows full Remote Code Execution on the Letta server with root privileges in the default local sandbox.

• An attacker can execute arbitrary OS commands remotely without authentication.
• Attackers can read sensitive data such as API keys and passwords.
• It enables attackers to pivot within internal networks, install backdoors, and exfiltrate data.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring for suspicious API requests to the Letta AI platform, specifically POST requests to the endpoint /v1/tools/run containing malicious Python type annotations that exploit the unsafe eval fallback.

A practical detection method is to look for unusual files created by exploitation attempts, such as the file /tmp/pwned, which is created by the proof of concept exploit.

Example command to detect the presence of the exploit file on the server:

• ls -l /tmp/pwned

Example command to monitor network traffic for suspicious POST requests to the vulnerable endpoint (using tcpdump or similar):

• tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/v1/tools/run'

Additionally, inspecting logs for unusual or unexpected Python type annotations containing code execution patterns (e.g., __import__, os.popen) can help identify exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the Letta AI platform API, especially the POST /v1/tools/run endpoint, to trusted users or internal networks only.

If possible, disable or restrict the use of unsafe eval in the codebase, although the current version hardcodes allow_unsafe_eval=True in all sandboxed execution paths with no configuration to disable it.

Monitor and block suspicious requests containing malicious type annotations that attempt to execute arbitrary code.

Apply network-level protections such as firewalls or API gateways to limit exposure.

Since no patched versions are available at the time of the report, consider isolating the affected system and preparing for an update once a fix is released.

Useful 0 Not Useful 0