CVE-2026-40158

HighPublic PoC

Published: 10 April 2026

Published

10 April 2026

Modified

20 April 2026

KEV Added

—

Patch

—

CVSS Score 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Score 0.0003 7.2th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40158 is a high-severity Code Injection (CWE-94) vulnerability in Praison Praisonai. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and SC-50 (Software-enforced Separation and Policy Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Python (T1059.006) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely flaw remediation including patching the specific AST sandbox bypass in PraisonAI to version 4.5.128, directly preventing arbitrary code execution.

AC-25 Reference Monitor good match

prevent

Mandates a reference monitor for access enforcement that provides complete mediation, isolation, and verifiability, addressing the incomplete AST filtering of dynamic attribute access like type.__getattribute__.

SC-50 Software-enforced Separation and Policy Enforcement good match

prevent

Enforces software-based separation policies between untrusted agent code and the host system, mitigating sandbox escape via trampoline techniques to dangerous attributes.

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution

Adversaries may abuse Python commands and scripts for execution.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

Why these techniques?

Sandbox bypass in Python code execution function directly enables arbitrary code execution via Python interpreter (T1059.006) and exploitation of the vulnerability for client-side code execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses AST filtering to block dangerous Python…

attributes like __subclasses__, __globals__, and __bases__. However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string '__subclasses__' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.

Deeper analysisAI

CVE-2026-40158 is a sandbox bypass vulnerability in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.128. The issue resides in the AST-based Python sandbox within the _execute_code_direct function of praisonaiagents/tools/python_tools.py, which filters dangerous attributes like __subclasses__, __globals__, and __bases__. However, the filter only inspects ast.Attribute nodes and overlooks dynamic attribute resolution via built-in methods such as type.__getattribute__, treating strings like '__subclasses__' as ast.Constant nodes that evade blocking. This allows attackers to trampoline into restricted attributes, enabling arbitrary code execution when processing untrusted agent code. The vulnerability is associated with CWE-94 (Improper Control of Generation of Code) and CWE-693 (Protection Mechanism Failure) and carries a CVSS v3.1 base score of 8.6 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H).

Exploitation requires local access to the system running PraisonAI, low attack complexity, no privileges, and user interaction, such as convincing a user to execute untrusted agent code within the sandbox. A malicious actor can craft Python code that bypasses the AST filtering— for instance, by using type.__getattribute__ to access prohibited attributes—and achieve arbitrary code execution on the host environment. This grants high-impact confidentiality, integrity, and availability compromises, with a changed scope due to the sandbox escape.

The vulnerability was fixed in PraisonAI version 4.5.128. Additional details on the issue, including the patch and reproduction steps, are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3c4r-6p77-xwr7. Security practitioners should upgrade to the patched version and review any deployments running untrusted code in AI agent contexts.

Details

CWE(s): CWE-94 CWE-693

Affected Products

praison

praisonai

≤ 4.5.128

CVEs Like This One

CVE-2026-39891Same product: Praison Praisonai

CVE-2026-39888Same product: Praison Praisonai

CVE-2026-40156Same product: Praison Praisonai

CVE-2026-44334Same product: Praison Praisonai

CVE-2026-40157Same product: Praison Praisonai

CVE-2026-40315Same product: Praison Praisonai

CVE-2026-34955Same product: Praison Praisonai

CVE-2026-39305Same product: Praison Praisonai

CVE-2026-39308Same product: Praison Praisonai

CVE-2026-44340Same product: Praison Praisonai

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3c4r-6p77-xwr7
Exploit, Vendor Advisory · security-advisories@github.com