CVE-2026-40287
Published: 14 April 2026
Summary
CVE-2026-40287 is a high-severity Code Injection (CWE-94) vulnerability in Praison Praisonai. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Path Interception by Search Order Hijacking (T1574.008); ranked at the 6.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-3 (Malicious Code Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the vulnerability by requiring installation of the fixed PraisonAI version 4.5.139 that eliminates the unsanitized import of tools.py.
Mandates integrity verification using cryptographic hashes or signatures for dynamically loaded files like tools.py, blocking malicious modifications before execution.
Deploys scanning and blocking mechanisms to identify and prevent execution of malicious code in tools.py files placed in the launch directory.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows arbitrary Python code execution by automatically importing an unsanitized tools.py file from the current working directory, directly enabling path interception via search order hijacking and Python script execution.
NVD Description
PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly…
more
import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.
Deeper analysisAI
CVE-2026-40287 is an arbitrary code execution vulnerability in PraisonAI, a multi-agent teams system. Versions 4.5.138 and prior are affected due to automatic, unsanitized import of a tools.py file from the current working directory at startup. Specific components involved include call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths, which perform the import without validation, sandboxing, or user confirmation. The issue is rated with a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-94 (Improper Control of Generation of Code) and CWE-426 (Untrusted Search Path).
An attacker can exploit this vulnerability by placing a malicious tools.py file in the directory from which PraisonAI is launched, such as through a shared project, cloned repository, or writable workspace. No privileges or user interaction are required beyond local access to write the file. Successful exploitation results in immediate arbitrary Python code execution within the host environment, fully compromising the PraisonAI process, the host system, and any connected data or credentials.
The GitHub security advisory (GHSA-g985-wjh9-qxxc) confirms the issue has been fixed in PraisonAI version 4.5.139. Security practitioners should upgrade to this version or later and audit launch directories for unauthorized tools.py files.
PraisonAI's role as a multi-agent system introduces AI/ML relevance, as exploitation could manipulate agent behaviors or exfiltrate training data or models from compromised environments. No real-world exploitation has been reported as of the CVE publication on 2026-04-14.
Details
- CWE(s)