{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40287/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2026-40287"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["praisonai","code-execution","cve-2026-40287"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is vulnerable to arbitrary code execution in versions 4.5.138 and below. The vulnerability stems from the automatic and unsanitized import of a \u003ccode\u003etools.py\u003c/code\u003e file from the current working directory during application startup. Specifically, components like \u003ccode\u003ecall.py\u003c/code\u003e (via \u003ccode\u003eimport_tools_from_file()\u003c/code\u003e), \u003ccode\u003etool_resolver.py\u003c/code\u003e (via \u003ccode\u003e_load_local_tools()\u003c/code\u003e), and command-line tool loading paths directly import \u003ccode\u003e./tools.py\u003c/code\u003e without validation, sandboxing, or user confirmation. An attacker capable of placing a malicious \u003ccode\u003etools.py\u003c/code\u003e file within the directory where PraisonAI is launched can achieve immediate, arbitrary Python code execution on the host system. This can occur through shared projects, cloned repositories, or writable workspaces. Successful exploitation allows complete control over the PraisonAI process, the host system, and any associated data or credentials. Users are advised to upgrade to version 4.5.139 or later to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PraisonAI instance running version 4.5.138 or below.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious Python script named \u003ccode\u003etools.py\u003c/code\u003e containing arbitrary code.\u003c/li\u003e\n\u003cli\u003eAttacker gains write access to the directory where PraisonAI is launched. This could be through a compromised shared project, a writable workspace, or other means of file upload.\u003c/li\u003e\n\u003cli\u003eAttacker places the malicious \u003ccode\u003etools.py\u003c/code\u003e file into the PraisonAI launch directory.\u003c/li\u003e\n\u003cli\u003ePraisonAI is started or restarted, automatically importing and executing the attacker\u0026rsquo;s \u003ccode\u003etools.py\u003c/code\u003e file. The \u003ccode\u003ecall.py\u003c/code\u003e or \u003ccode\u003etool_resolver.py\u003c/code\u003e components trigger the import process.\u003c/li\u003e\n\u003cli\u003eThe malicious code in \u003ccode\u003etools.py\u003c/code\u003e executes within the context of the PraisonAI process.\u003c/li\u003e\n\u003cli\u003eAttacker achieves arbitrary code execution on the host system, escalating privileges as needed.\u003c/li\u003e\n\u003cli\u003eAttacker uses the compromised system to steal data, install malware, or pivot to other systems.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to execute arbitrary code on systems running vulnerable versions of PraisonAI. This can lead to complete system compromise, data theft, and potential lateral movement within the network. The vulnerability affects all users of PraisonAI versions 4.5.138 and below. The impact of this vulnerability is high due to the ease of exploitation and the potential for widespread damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.139 or later to patch CVE-2026-40287.\u003c/li\u003e\n\u003cli\u003eImplement strict file permission controls on the PraisonAI installation directory to prevent unauthorized file creation.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect suspicious file creation events in PraisonAI working directories.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring on systems running PraisonAI to detect unexpected Python code execution.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:18:15Z","date_published":"2026-04-14T04:18:15Z","id":"/briefs/2026-04-praisonai-code-exec/","summary":"PraisonAI versions 4.5.138 and below are vulnerable to arbitrary code execution due to the unsanitized import of a malicious tools.py file, leading to potential system compromise.","title":"PraisonAI Arbitrary Code Execution Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-code-exec/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40287","version":"https://jsonfeed.org/version/1.1"}