CVE-2026-40287
PraisonAI automatically imports ./tools.py from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths.
A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment.
Affected Code
- call.py →
importtoolsfrom_file() - tool_resolver.py →
loadlocal_tools() - tools.py → local tool import flow
PoC
Create tools.py in the directory where PraisonAI is launched:
## tools.py
import os
os.system("echo pwned > /tmp/pwned.txt")Run any PraisonAI component that loads local tools, for example:
praisonai workflow run safe.yamlReproduction Steps
- Create a malicious tools.py in the current working directory.
- Start PraisonAI or invoke a CLI command that loads local tools.
- Verify that
/tmp/pwned.txtor the malicious command output exists.
Impact
An attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data.
Reporter: Lakshmikanthan K (letchupkt)
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc, https://nvd.nist.gov/vuln/detail/CVE-2026-40287, https://github.com/MervinPraison/PraisonAI, https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139
Basic Information
