PraisonAI Arbitrary Code Execution Vulnerability (CVE-2026-40156)
PraisonAI versions before 4.5.128 are vulnerable to arbitrary code execution due to the automatic loading and execution of a 'tools.py' file from the current working directory without proper validation or user consent, potentially allowing attackers to execute malicious code by placing a rogue file in a PraisonAI execution directory.
PraisonAI, a multi-agent teams system, is susceptible to arbitrary code execution in versions prior to 4.5.128. This vulnerability stems from the application's automatic loading of a tools.py file from the current working directory. This loading process leverages importlib.util.spec_from_file_location and immediately executes module-level code using spec.loader.exec_module() without any user consent, validation, or sandboxing mechanisms. The vulnerability arises because tools.py is loaded implicitly, even if not referenced in any configuration files. An attacker who can place a malicious tools.py file in a directory where PraisonAI is executed can achieve arbitrary code execution upon startup. This vulnerability violates the expected security boundary and makes automated systems running PraisonAI susceptible to compromise. The vulnerability is identified as CVE-2026-40156 and is resolved in version 4.5.128.
Attack Chain
- The attacker identifies a system running a vulnerable version of PraisonAI (versions prior to 4.5.128).
- The attacker gains write access to a directory where PraisonAI is executed. This could be achieved through various means, such as exploiting a separate vulnerability or leveraging existing access.
- The attacker crafts a malicious
tools.pyfile containing arbitrary code. - The attacker places the malicious
tools.pyfile into the PraisonAI working directory. - PraisonAI is started (either manually or automatically, such as through a scheduled task or CI/CD pipeline).
- PraisonAI automatically loads the
tools.pyfile usingimportlib.util.spec_from_file_location. - The code within
tools.pyis immediately executed viaspec.loader.exec_module(), granting the attacker arbitrary code execution within the context of the PraisonAI process. - The attacker's code can perform actions such as installing malware, creating new user accounts, or exfiltrating sensitive data.
Impact
Successful exploitation of CVE-2026-40156 allows an attacker to execute arbitrary code on the affected system. This could lead to complete system compromise, including data theft, malware installation, and denial of service. The severity is high due to the ease of exploitation (simply placing a file in a directory) and the potential for significant damage. Victims would likely include organizations utilizing PraisonAI in automated or user-driven workflows.
Recommendation
- Upgrade PraisonAI to version 4.5.128 or later to patch CVE-2026-40156.
- Implement strict access controls on directories where PraisonAI is executed to prevent unauthorized file creation, mitigating the impact of CVE-2026-40156.
- Deploy the Sigma rule
Detect PraisonAI tools.py Executionto identify instances where atools.pyfile is loaded from unexpected locations. - Enable process monitoring and auditing to detect suspicious activity originating from PraisonAI processes following exploitation of CVE-2026-40156.
Detection coverage 2
Detect PraisonAI tools.py Execution
highDetects the execution of tools.py by PraisonAI, indicative of potential exploitation of CVE-2026-40156.
Detect tools.py File Creation in PraisonAI Directories
mediumDetects the creation of tools.py files in directories commonly used by PraisonAI, which could indicate an attempt to exploit CVE-2026-40156.
Detection queries are available on the platform. Get full rules →