CVE-2026-40158

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI's AST-based Python sandbox can be bypassed using the type. getattribute trampoline, leading to arbitrary code execution when running untrusted agent code. The execute code direct function in praisonaiagents/tools/python tools.py uses AST filtering to block dangerous Python attributes, but the filter only checks ast.Attribute nodes. This allows a bypass because the sandbox does not account for dynamic attribute resolution via methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string ' subclasses ' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list.

Recommendations Update to version 4.5.128 or later.