CVE-2026-40156: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.
AI Analysis
Technical Summary
PraisonAI, a multi-agent teams system, prior to version 4.5.128, implicitly loads and executes a tools.py file from the current working directory using importlib.util.spec_from_file_location and spec.loader.exec_module() without explicit user consent, validation, or sandboxing. This automatic loading occurs even if tools.py is not referenced in configuration files. Consequently, placing a malicious tools.py file in the working directory leads to immediate arbitrary code execution upon startup, before any agent logic runs. This behavior breaches the security boundary between user-controlled project files and executable code. The vulnerability is identified as CWE-94 (Improper Control of Generation of Code) and is fixed in version 4.5.128.
Potential Impact
An attacker who can place a malicious tools.py file in the working directory where PraisonAI is executed can achieve arbitrary code execution with the privileges of the user running the software. This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is exploitable locally or via scenarios where an attacker can influence the working directory contents. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in PraisonAI version 4.5.128. Users should upgrade to version 4.5.128 or later to remediate this issue. Until upgrading, ensure that untrusted users cannot place files named tools.py in directories where PraisonAI is executed. Restrict write permissions on working directories and validate the environment before running the software. Patch status is not explicitly confirmed beyond the stated fix in version 4.5.128; users should consult the vendor for official advisories.
CVE-2026-40156: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAI, a multi-agent teams system, prior to version 4.5.128, implicitly loads and executes a tools.py file from the current working directory using importlib.util.spec_from_file_location and spec.loader.exec_module() without explicit user consent, validation, or sandboxing. This automatic loading occurs even if tools.py is not referenced in configuration files. Consequently, placing a malicious tools.py file in the working directory leads to immediate arbitrary code execution upon startup, before any agent logic runs. This behavior breaches the security boundary between user-controlled project files and executable code. The vulnerability is identified as CWE-94 (Improper Control of Generation of Code) and is fixed in version 4.5.128.
Potential Impact
An attacker who can place a malicious tools.py file in the working directory where PraisonAI is executed can achieve arbitrary code execution with the privileges of the user running the software. This can lead to full compromise of the affected system, including confidentiality, integrity, and availability impacts. The vulnerability is exploitable locally or via scenarios where an attacker can influence the working directory contents. No known exploits in the wild have been reported.
Mitigation Recommendations
This vulnerability is fixed in PraisonAI version 4.5.128. Users should upgrade to version 4.5.128 or later to remediate this issue. Until upgrading, ensure that untrusted users cannot place files named tools.py in directories where PraisonAI is executed. Restrict write permissions on working directories and validate the environment before running the software. Patch status is not explicitly confirmed beyond the stated fix in version 4.5.128; users should consult the vendor for official advisories.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T19:31:56.014Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d9d9721cc7ad14da3f8650
Added to database: 4/11/2026, 5:17:38 AM
Last enriched: 4/18/2026, 2:36:30 PM
Last updated: 5/26/2026, 6:52:32 PM
Views: 110
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.