CVE-2026-39888 Overview
CVE-2026-39888 is a critical sandbox escape vulnerability in PraisonAI, a multi-agent teams system. The vulnerability exists in the execute_code() function within praisonaiagents.tools.python_tools, which defaults to sandbox_mode="sandbox". This mode runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. However, the AST blocklist embedded inside the subprocess wrapper contains only 11 attribute names—a strict subset of the 30+ names blocked in the direct-execution path—allowing attackers to bypass the sandbox and achieve arbitrary code execution.
Critical Impact
Attackers can escape the PraisonAI sandbox environment and execute arbitrary Python code on the underlying system, potentially leading to complete system compromise, data theft, or lateral movement within the network.
Affected Products
- PraisonAI versions prior to 1.5.115
- PraisonAI multi-agent teams system with python_tools module
Discovery Timeline
- 2026-04-08 - CVE-2026-39888 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2026-39888
Vulnerability Analysis
This sandbox escape vulnerability (CWE-657: Violation of Secure Design Principles) stems from an incomplete implementation of security controls in the AST-based attribute blocklist. The subprocess execution path implements a significantly weaker blocklist compared to the direct-execution path, creating an exploitable gap in the sandbox's security boundary.
The core issue is that four critical attributes that form a frame-traversal chain out of the sandbox are entirely absent from the subprocess blocklist: __traceback__, tb_frame, f_back, and f_builtins. These attributes are essential components of Python's exception and frame introspection mechanism and can be chained together to escape the restricted environment.
Root Cause
The root cause is an incomplete attribute blocklist in the subprocess execution path of python_tools.py. While the direct-execution path blocks 30+ dangerous attribute names, the blocked_attrs list in the subprocess wrapper contains only 11 entries. This inconsistency violates secure design principles and creates a bypass path.
The missing attributes (__traceback__, tb_frame, f_back, f_builtins) enable attackers to traverse Python's frame stack from a caught exception object, eventually reaching the real __builtins__ dictionary of the subprocess wrapper frame—effectively breaking out of the restricted execution context.
Attack Vector
The attack leverages Python's exception handling and frame introspection to escape the sandbox:
- An attacker triggers an exception within the sandbox environment
- By catching the exception, the attacker gains access to its __traceback__ attribute
- From the traceback object, the attacker traverses to tb_frame to access the frame object
- Using f_back, the attacker walks up the call stack to reach the wrapper frame
- The f_builtins attribute exposes the unrestricted __builtins__ dictionary
- The attacker retrieves exec (or similar dangerous functions) using a non-blocked variable name
- Arbitrary code execution is achieved, bypassing all remaining security layers
The attack can be executed remotely over the network with low complexity, requiring only low-privilege access to submit code for execution. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-39888
Indicators of Compromise
- Unexpected access to frame introspection attributes (__traceback__, tb_frame, f_back, f_builtins) in PraisonAI execution logs
- Unusual subprocess spawning or child process activity originating from PraisonAI agent processes
- Evidence of code execution outside the expected sandbox boundaries
- Anomalous system calls or file access patterns from PraisonAI worker processes
Detection Strategies
- Monitor for Python code submissions containing frame traversal attribute chains (__traceback__, tb_frame, f_back, f_builtins)
- Implement logging and alerting for access attempts to restricted built-in functions like exec, eval, compile, and __import__
- Deploy runtime security monitoring to detect sandbox escape attempts through behavioral analysis
- Review PraisonAI execution logs for exception handling patterns followed by suspicious attribute access
Monitoring Recommendations
- Enable verbose logging for all code execution within PraisonAI agents
- Monitor subprocess activity and system calls originating from PraisonAI processes
- Implement network egress monitoring for unexpected outbound connections from agent processes
- Set up alerts for any code execution patterns that deviate from expected agent behavior
How to Mitigate CVE-2026-39888
Immediate Actions Required
- Upgrade PraisonAI to version 1.5.115 or later immediately
- Audit existing deployments for signs of exploitation
- Review any code that was executed through the vulnerable execute_code() function
- Consider temporarily disabling code execution features until the patch is applied
Patch Information
This vulnerability is fixed in PraisonAI version 1.5.115. The patch addresses the incomplete AST blocklist by adding the missing frame-traversal attributes (__traceback__, tb_frame, f_back, f_builtins) to the subprocess execution path blocklist, ensuring parity with the direct-execution path.
For patch details and upgrade instructions, refer to the GitHub Security Advisory.
Workarounds
- If upgrading is not immediately possible, consider disabling the sandbox code execution feature entirely
- Implement additional network isolation for systems running PraisonAI agents
- Deploy application-level firewalls to restrict subprocess capabilities
- Use containerization with restricted syscall policies to limit the impact of potential sandbox escapes
# Configuration example - Upgrade PraisonAI to patched version
pip install --upgrade praisonai>=1.5.115
# Verify installed version
pip show praisonai | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
