Cyber Posture

CVE-2026-40156

HighLPE

Published: 10 April 2026

Published
10 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0003 7.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40156 is a high-severity Code Injection (CWE-94) vulnerability in Praison Praisonai. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-11 (User-installed Software) and SC-18 (Mobile Code).

Threat & Defense at a Glance

What attackers do: exploitation maps to Python (T1059.006) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-18 Mobile Code good match
prevent

Mandates security safeguards to prevent unauthorized execution of mobile code technologies, directly addressing PraisonAI's unvalidated automatic loading and execution of tools.py from the working directory.

CM-11 User-installed Software good match
prevent

Requires validation and integrity checks of user-installed or custom software like tools.py prior to execution, mitigating the lack of consent and sandboxing in the loading process.

SI-3 Malicious Code Protection good match
preventdetect

Deploys malicious code protection mechanisms with periodic and real-time scans to detect and block execution of malicious tools.py files placed in the working directory.

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
attack.mitre.org →
T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
attack.mitre.org →
Why these techniques?

The vulnerability allows arbitrary Python code execution via automatic loading of a malicious tools.py file from the current working directory using importlib, triggered when a user runs the application from the compromised directory.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module()…

more

without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.

Deeper analysisAI

CVE-2026-40156 is a code injection vulnerability in PraisonAI, an open-source multi-agent teams system, affecting versions prior to 4.5.128. The flaw stems from the application's automatic loading of a file named tools.py from the current working directory to discover and register custom agent tools. This process employs importlib.util.spec_from_file_location followed by spec.loader.exec_module() to execute module-level code without user consent, validation, or sandboxing. The file is loaded implicitly, regardless of whether it is referenced in configuration files or explicitly requested, treating potentially untrusted content in the working directory as executable code and violating expected security boundaries.

An attacker with local access to the filesystem can exploit this vulnerability by placing a malicious tools.py file in the current working directory used by PraisonAI. Exploitation requires low complexity and no privileges (PR:N), but user interaction is needed (UI:R), such as a user or automated system like a CI/CD pipeline running the application from the compromised directory. Successful exploitation triggers arbitrary code execution immediately upon startup, before any agent logic executes, granting high confidentiality, integrity, and availability impacts (CVSS 7.8: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The issue maps to CWEs-94 (code injection), CWE-426 (untrusted search path), and CWE-829 (file inclusion).

The vulnerability is addressed in PraisonAI version 4.5.128, as detailed in the GitHub security advisory (GHSA-2g3w-cpc4-chr4). Security practitioners should upgrade to the patched version and review working directories for unauthorized tools.py files, particularly in AI/ML development environments where multi-agent systems like PraisonAI are deployed.

Details

CWE(s)
CWE-94CWE-426CWE-829

Affected Products

praison
praisonai
≤ 4.5.128

CVEs Like This One

CVE-2026-39891Same product: Praison Praisonai
CVE-2026-40158Same product: Praison Praisonai
CVE-2026-39307Same product: Praison Praisonai
CVE-2026-44334Same product: Praison Praisonai
CVE-2026-40154Same product: Praison Praisonai
CVE-2026-40157Same product: Praison Praisonai
CVE-2026-40313Same product: Praison Praisonai
CVE-2026-39888Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai
CVE-2026-40287Same product: Praison Praisonai

References