CVE-2026-40287: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
AI Analysis
Technical Summary
PraisonAI, a multi-agent teams system, versions prior to 4.5.139 automatically import a tools.py file from the current working directory without validation or sandboxing. Components such as call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import this file at startup. This behavior enables an attacker with write access to the launch directory to execute arbitrary Python code, leading to full compromise of the PraisonAI process and the host environment. The issue is identified as CWE-94 (Improper Control of Generation of Code) and CWE-426 (Untrusted Search Path). The vulnerability has been addressed in version 4.5.139.
Potential Impact
Successful exploitation results in immediate arbitrary code execution with the privileges of the PraisonAI process. This compromises the entire PraisonAI application, the underlying host system, and any data or credentials accessible to the process. The CVSS v3.1 score is 8.4 (High), reflecting high confidentiality, integrity, and availability impacts. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade PraisonAI to version 4.5.139 or later, where this vulnerability is fixed. Until upgrading, avoid launching PraisonAI from directories where untrusted users can place or modify a tools.py file. Restrict write permissions on the working directory to trusted users only. Patch status is confirmed fixed in version 4.5.139.
CVE-2026-40287: CWE-94: Improper Control of Generation of Code ('Code Injection') in MervinPraison PraisonAI
Description
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAI, a multi-agent teams system, versions prior to 4.5.139 automatically import a tools.py file from the current working directory without validation or sandboxing. Components such as call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import this file at startup. This behavior enables an attacker with write access to the launch directory to execute arbitrary Python code, leading to full compromise of the PraisonAI process and the host environment. The issue is identified as CWE-94 (Improper Control of Generation of Code) and CWE-426 (Untrusted Search Path). The vulnerability has been addressed in version 4.5.139.
Potential Impact
Successful exploitation results in immediate arbitrary code execution with the privileges of the PraisonAI process. This compromises the entire PraisonAI application, the underlying host system, and any data or credentials accessible to the process. The CVSS v3.1 score is 8.4 (High), reflecting high confidentiality, integrity, and availability impacts. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade PraisonAI to version 4.5.139 or later, where this vulnerability is fixed. Until upgrading, avoid launching PraisonAI from directories where untrusted users can place or modify a tools.py file. Restrict write permissions on the working directory to trusted users only. Patch status is confirmed fixed in version 4.5.139.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ddbc3182d89c981fc24dcc
Added to database: 4/14/2026, 4:01:53 AM
Last enriched: 4/14/2026, 4:17:15 AM
Last updated: 4/15/2026, 5:10:23 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.