CVE-2026-40287
PraisonAI Vulnerable to RCE via Automatic tools.py Import
Description
PraisonAI automatically imports `./tools.py` from the current working directory when launching certain components. This includes call.py, tool_resolver.py, and CLI tool-loading paths. A malicious tools.py placed in the process working directory is executed immediately, allowing arbitrary Python code execution in the host environment. ### Affected Code - call.py → `import_tools_from_file()` - tool_resolver.py → `_load_local_tools()` - tools.py → local tool import flow - ### PoC Create tools.py in the directory where PraisonAI is launched: ```python # tools.py import os os.system("echo pwned > /tmp/pwned.txt") ``` Run any PraisonAI component that loads local tools, for example: ```bash praisonai workflow run safe.yaml ``` ### Reproduction Steps 1. Create a malicious tools.py in the current working directory. 2. Start PraisonAI or invoke a CLI command that loads local tools. 3. Verify that `/tmp/pwned.txt` or the malicious command output exists. ### Impact An attacker who can place or influence tools.py in the working directory can execute arbitrary code in the PraisonAI process, compromising the host and any connected data. **Reporter:** Lakshmikanthan K (letchupkt)
How to fix CVE-2026-40287
To remediate CVE-2026-40287, upgrade the affected package to a fixed version below.
- —upgrade to 4.5.139 or later
- —upgrade to 1.5.140 or later
Is CVE-2026-40287 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 4.5.139