CVE-2026-4965 is a vulnerability identified in the open-source AI framework letta-ai letta, specifically version 0.16.4. The issue resides in the resolve_type function within the letta/functions/ast_parsers.py file, where improper neutralization of directives occurs during dynamic code evaluation. This vulnerability is a result of an incomplete fix of a prior vulnerability (CVE-2025-6101), indicating that the underlying problem with safely handling dynamically evaluated code was not fully resolved. The flaw allows an attacker to remotely manipulate the evaluation process, potentially injecting malicious directives or code fragments that are not properly sanitized. Because the vulnerability can be exploited without authentication or user interaction, it poses a significant risk to exposed systems. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the network attack vector, low complexity, and no privileges required, but only limited impact on confidentiality, integrity, and availability. The vendor has not responded to disclosure requests, and no official patch or mitigation guidance has been published. The exploit code is publicly available, increasing the likelihood of exploitation attempts. This vulnerability is particularly concerning in environments where letta-ai letta is used for AI model development or deployment, as it could allow attackers to alter code execution flows, potentially leading to data leakage, unauthorized code execution, or denial of service.

The vulnerability allows remote attackers to manipulate dynamically evaluated code, which can lead to partial compromise of confidentiality, integrity, and availability of affected systems. Attackers could inject malicious directives that alter program behavior, potentially leading to unauthorized data access, code execution, or disruption of services. Since the flaw exists in a core function responsible for parsing and resolving types in the AI framework, exploitation could undermine the trustworthiness of AI models or applications built on letta. Organizations relying on letta for AI development or deployment may face risks including intellectual property theft, data breaches, or operational downtime. The absence of vendor response and patch increases exposure time, raising the likelihood of exploitation as the exploit is publicly available. The medium severity rating indicates that while the impact is significant, it may not lead to full system compromise without additional conditions. However, the ease of remote exploitation without authentication makes this a notable threat for organizations with internet-facing instances of letta or those integrating it into critical workflows.

1. Immediately restrict network exposure of systems running letta 0.16.4 to trusted internal networks only, preventing remote access from untrusted sources. 2. Conduct thorough code reviews focusing on dynamic code evaluation areas, especially the resolve_type function, to implement additional sanitization and validation of directives before evaluation. 3. Employ runtime application self-protection (RASP) or behavior monitoring tools to detect anomalous code execution patterns indicative of exploitation attempts. 4. Isolate AI development and deployment environments using containerization or sandboxing to limit potential damage from exploitation. 5. Monitor public vulnerability databases and letta-ai project repositories for updates or patches addressing this issue, and apply them promptly once available. 6. Consider temporary mitigation by disabling or limiting features that rely on dynamic code evaluation if feasible. 7. Implement strict input validation and use allowlists for any user-supplied data that could influence code evaluation. 8. Educate development teams about the risks of dynamic code evaluation and encourage secure coding practices to prevent similar issues in future versions.