CVE-2026-40287
Received Received - Intake
Arbitrary Code Execution via Unsanitized tools.py Import in PraisonAI

Publication date: 2026-04-14

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-14
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40287
EUVD
EUVD-2026-22207
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
praison praisonai to 4.5.139 (exc)
praison praisonaiagents to 1.5.140 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-426 The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40287 is a high-severity vulnerability in PraisonAI versions 4.5.138 and below that allows arbitrary code execution. The issue arises because PraisonAI automatically imports a file named tools.py from the current working directory without any validation, sandboxing, or user confirmation.

Components such as call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import this tools.py file at startup. If an attacker can place a malicious tools.py file in the directory where PraisonAI is launched, they can execute arbitrary Python code within the PraisonAI process.

This leads to full compromise of the PraisonAI process, the host system, and any connected data or credentials. The vulnerability is due to improper control of code generation (CWE-94) and untrusted search path usage (CWE-426).

Impact Analysis

This vulnerability allows an attacker who can place a malicious tools.py file in the working directory to execute arbitrary Python code on the host system running PraisonAI.

The impact includes full compromise of the PraisonAI process, the underlying host system, and any connected data or credentials.

Because the attack requires no user interaction and no privileges, it can be triggered easily if an attacker has write access to the working directory.

Detection Guidance

This vulnerability can be detected by checking if there is a malicious or unexpected tools.py file in the current working directory from which PraisonAI components are launched.

One way to detect exploitation is to look for the presence of a tools.py file in the working directory before running PraisonAI components.

You can use commands like the following to check for the presence of tools.py:

  • ls -l ./tools.py
  • cat ./tools.py

Additionally, monitoring for unexpected file creation or modification in directories where PraisonAI is run may help detect attempts to place malicious tools.py files.

You can also check for suspicious files or evidence of code execution such as unexpected files created by malicious code (e.g., /tmp/pwned.txt) using commands like:

  • ls -l /tmp/pwned.txt
Mitigation Strategies

To mitigate this vulnerability immediately, upgrade PraisonAI to version 4.5.139 or later, where the issue has been fixed.

Until the upgrade can be performed, ensure that no untrusted or malicious tools.py file exists in the working directory from which PraisonAI is launched.

Restrict write permissions on directories used to launch PraisonAI to prevent attackers from placing malicious tools.py files.

Avoid running PraisonAI in shared or writable directories where an attacker could place a malicious tools.py.

Consider running PraisonAI with least privilege and in isolated environments to limit the impact of potential exploitation.

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code on the host system running PraisonAI, leading to full compromise of the process, host environment, and any connected data or credentials.

Such a compromise can result in unauthorized access, modification, or destruction of sensitive data, which may violate data protection requirements under common standards and regulations like GDPR and HIPAA.

Therefore, if PraisonAI is used in environments subject to these regulations, this vulnerability could lead to non-compliance due to failure to adequately protect confidentiality, integrity, and availability of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40287. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart