CVE-2026-39888

Critical

Published: 08 April 2026

Published

08 April 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

EPSS Score 0.0011 29.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-39888 is a critical-severity Violation of Secure Design Principles (CWE-657) vulnerability in Praison Praisonai. Its CVSS base score is 9.9 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-50 (Software-enforced Separation and Policy Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the incomplete blocklist flaw in the subprocess sandbox that enables the frame-traversal chain to access unrestricted builtins and execute arbitrary code.

SC-39 Process Isolation good match

prevent

Enforces process isolation between user code execution in the sandboxed subprocess and the wrapper environment, blocking access to frame attributes like __traceback__ and f_builtins.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Implements software-enforced separation policies to comprehensively restrict attribute traversal and builtin access within the Python subprocess sandbox.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

Why these techniques?

The sandbox escape in the network-accessible PraisonAI Python execution tool directly enables remote exploitation of a public-facing application (T1190) to achieve arbitrary code execution via the Python interpreter (T1059.006) by bypassing the incomplete blocklist and restricted builtins.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper…

(blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.

Deeper analysisAI

CVE-2026-39888 is a sandbox escape vulnerability in PraisonAI, a multi-agent teams system. In versions prior to 1.5.115, the execute_code() function in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which executes user code in a subprocess with a restricted __builtins__ dictionary and an AST-based blocklist. The blocklist in the subprocess wrapper (blocked_attrs in python_tools.py) only includes 11 attribute names, a subset of those blocked in direct execution, notably omitting __traceback__, tb_frame, f_back, and f_builtins. This allows chaining these attributes via a caught exception to access the real Python builtins dictionary of the wrapper frame, enabling retrieval and execution of exec under a non-blocked name and bypassing all security layers.

An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N), achieving high scope (S:C) and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), as scored at CVSS 9.9 (CVSS:3.1). Exploitation involves crafting Python code that triggers the frame-traversal chain through an exception, exposing unrestricted builtins and allowing arbitrary code execution within the subprocess context.

The vulnerability, tied to CWE-657 (Violation of Secure Design Principles) and CWE-693 (Protection Mechanism Failure), is fixed in PraisonAI version 1.5.115. The GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qf73-2hrx-xprp provides further details on the patch, which addresses the incomplete blocklist in the subprocess sandbox.

PraisonAI's role as a multi-agent AI system underscores the relevance of this issue to AI/ML deployments relying on code execution sandboxes for agent tools. No real-world exploitation has been reported as of the CVE publication on 2026-04-08.

Details

CWE(s): CWE-657 CWE-693

Affected Products

praison

praisonai

≤ 1.5.115

CVEs Like This One

CVE-2026-44334Same product: Praison Praisonai

CVE-2026-39891Same product: Praison Praisonai

CVE-2026-40158Same product: Praison Praisonai

CVE-2026-44336Same product: Praison Praisonai

CVE-2026-44338Same product: Praison Praisonai

CVE-2026-39889Same product: Praison Praisonai

CVE-2026-34952Same product: Praison Praisonai

CVE-2026-39890Same product: Praison Praisonai

CVE-2026-34934Same product: Praison Praisonai

CVE-2026-39308Same product: Praison Praisonai

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qf73-2hrx-xprp
Vendor Advisory · security-advisories@github.com