Cyber Resilience

CVE-2026-4965

Medium

Published: 27 March 2026

Published
27 March 2026
Modified
30 March 2026
KEV Added
Patch
CVSS Score v4 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0002 7.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-4965 is a medium-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 7.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-4965 is a code injection vulnerability stemming from an incomplete fix for CVE-2025-6101 in the letta-ai letta framework version 0.16.4. It affects the resolve_type function within the file letta/functions/ast_parsers.py, where improper neutralization of directives in dynamically evaluated code (classified under CWE-94 and CWE-95) allows malicious input to be processed unsafely. The issue carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L), indicating high severity due to its network accessibility and lack of prerequisites.

Remote attackers can exploit this vulnerability without authentication or user interaction by manipulating inputs to the affected function, potentially leading to arbitrary code execution or directive injection during dynamic code evaluation. Successful exploitation grants low-level impacts on confidentiality, integrity, and availability, enabling data leakage, modification of application state, or denial of service within the letta framework's parsing context.

Advisories from VulDB (ctiid.353842, id.353842, submit.777654) document the issue, with a public exploit available via a GitHub Gist (https://gist.github.com/YLChen-007/fc09bc447a73bba526c1642d9ce73ca5). No patches or vendor responses are reported, as the letta-ai team was contacted early but did not reply; security practitioners should avoid version 0.16.4 and monitor for updates.

The exploit's public availability increases the risk of active exploitation, particularly in environments using letta-ai for AI-related dynamic code processing.

EU & UK References

Vulnerability details

A vulnerability was detected in letta-ai letta 0.16.4. This issue affects the function resolve_type of the file letta/functions/ast_parsers.py of the component Incomplete Fix CVE-2025-6101. Performing a manipulation results in improper neutralization of directives in dynamically evaluated code. The attack can…

more

be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

Remote unauthenticated code injection (CWE-94/95) in Python dynamic evaluation directly enables T1190 (Exploit Public-Facing Application) for initial access and T1059.006 (Python) for arbitrary code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-33017Shared CWE-94, CWE-95
CVE-2026-28505Shared CWE-94, CWE-95
CVE-2026-33873Shared CWE-94
CVE-2025-54322Shared CWE-94, CWE-95
CVE-2026-33057Shared CWE-94
CVE-2026-5971Shared CWE-94, CWE-95
CVE-2026-39421Shared CWE-94
CVE-2025-53890Shared CWE-94
CVE-2026-31220Shared CWE-94
CVE-2026-0863Shared CWE-94, CWE-95

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the specific code injection flaw in letta 0.16.4's resolve_type function via patches or compensating controls.

prevent

Mandates validation of inputs to the ast_parsers.py function to neutralize malicious directives before dynamic code evaluation.

prevent

Implements memory protections like non-executable regions to mitigate arbitrary code execution even if injection succeeds.

References