CVE-2026-40287
Arbitrary Code Execution via Unsanitized tools.py Import in PraisonAI
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.139 (exc) |
| praison | praisonaiagents | to 1.5.140 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-426 | The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40287 is a high-severity vulnerability in PraisonAI versions 4.5.138 and below that allows arbitrary code execution. The issue arises because PraisonAI automatically imports a file named tools.py from the current working directory without any validation, sandboxing, or user confirmation.
Components such as call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import this tools.py file at startup. If an attacker can place a malicious tools.py file in the directory where PraisonAI is launched, they can execute arbitrary Python code within the PraisonAI process.
This leads to full compromise of the PraisonAI process, the host system, and any connected data or credentials. The vulnerability is due to improper control of code generation (CWE-94) and untrusted search path usage (CWE-426).
How can this vulnerability impact me? :
This vulnerability allows an attacker who can place a malicious tools.py file in the working directory to execute arbitrary Python code on the host system running PraisonAI.
The impact includes full compromise of the PraisonAI process, the underlying host system, and any connected data or credentials.
Because the attack requires no user interaction and no privileges, it can be triggered easily if an attacker has write access to the working directory.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if there is a malicious or unexpected tools.py file in the current working directory from which PraisonAI components are launched.
One way to detect exploitation is to look for the presence of a tools.py file in the working directory before running PraisonAI components.
You can use commands like the following to check for the presence of tools.py:
- ls -l ./tools.py
- cat ./tools.py
Additionally, monitoring for unexpected file creation or modification in directories where PraisonAI is run may help detect attempts to place malicious tools.py files.
You can also check for suspicious files or evidence of code execution such as unexpected files created by malicious code (e.g., /tmp/pwned.txt) using commands like:
- ls -l /tmp/pwned.txt
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade PraisonAI to version 4.5.139 or later, where the issue has been fixed.
Until the upgrade can be performed, ensure that no untrusted or malicious tools.py file exists in the working directory from which PraisonAI is launched.
Restrict write permissions on directories used to launch PraisonAI to prevent attackers from placing malicious tools.py files.
Avoid running PraisonAI in shared or writable directories where an attacker could place a malicious tools.py.
Consider running PraisonAI with least privilege and in isolated environments to limit the impact of potential exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary code on the host system running PraisonAI, leading to full compromise of the process, host environment, and any connected data or credentials.
Such a compromise can result in unauthorized access, modification, or destruction of sensitive data, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.
Therefore, if PraisonAI is used in environments subject to these regulations, this vulnerability could lead to non-compliance due to failure to adequately protect confidentiality, integrity, and availability of sensitive information.