CVE-2026-40158

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using type. getattribute trampoline, allowing arbitrary code execution when running untrusted agent code. The execute code direct function in praisonaiagents/tools/python tools.py uses AST filtering to block dangerous Python attributes like subclasses , globals , and bases . However, the filter only checks ast.Attribute nodes, allowing a bypass. The sandbox relies on AST-based filtering of attribute access but fails to account for dynamic attribute resolution via built-in methods such as type.getattribute, resulting in incomplete enforcement of security restrictions. The string ' subclasses ' is an ast.Constant, not an ast.Attribute, so it is never checked against the blocked list. This vulnerability is fixed in 4.5.128.