CVE-2026-39888

Name of the Vulnerable Software and Affected Versions praisonaiagents versions prior to 1.5.115

Description PraisonAI is a multi-agent teams system. Prior to version 1.5.115, the execute code() function in praisonaiagents.tools.python tools defaults to sandbox mode="sandbox", which runs user code in a subprocess with a restricted builtins dictionary and an AST-based blocklist. The AST blocklist used within the subprocess wrapper contains only 11 attribute names, a limited subset of the 30+ names blocked in the direct-execution path. Specifically, attributes crucial for frame traversal – traceback, tb frame, f back, and f builtins – are absent from the subprocess blocklist. By chaining these attributes through a caught exception, the real Python builtins dictionary of the subprocess wrapper frame can be exposed, allowing the retrieval and execution of exec under a non-blocked variable name, effectively bypassing all remaining security layers. This allows for arbitrary code execution on the host system within the subprocess user context, enabling file system access, environment variable exfiltration, and potential lateral movement.

Recommendations Update praisonaiagents to version 1.5.115 or later.