CVE-2026-40158 Overview
CVE-2026-40158 is a code injection vulnerability in PraisonAI, a multi-agent teams system. Prior to version 4.5.128, PraisonAI's AST-based Python sandbox can be bypassed using a type.__getattribute__ trampoline, allowing arbitrary code execution when running untrusted agent code. This vulnerability represents a significant risk for organizations using PraisonAI to execute agent-generated code, as attackers can escape the intended sandbox restrictions.
Critical Impact
Attackers can bypass sandbox restrictions and achieve arbitrary code execution on systems running untrusted PraisonAI agent code, potentially leading to full system compromise.
Affected Products
- PraisonAI versions prior to 4.5.128
- Systems running untrusted agent code through PraisonAI's _execute_code_direct function
- Deployments utilizing praisonaiagents/tools/python_tools.py
Discovery Timeline
- April 10, 2026 - CVE-2026-40158 published to NVD
- April 13, 2026 - Last updated in NVD database
Technical Details for CVE-2026-40158
Vulnerability Analysis
This vulnerability stems from incomplete AST-based filtering in PraisonAI's Python sandbox implementation. The _execute_code_direct function in praisonaiagents/tools/python_tools.py uses Abstract Syntax Tree (AST) filtering to block dangerous Python attributes such as __subclasses__, __globals__, and __bases__. However, this filtering mechanism only inspects ast.Attribute nodes, creating a significant security gap.
The fundamental issue is that the sandbox fails to account for dynamic attribute resolution via built-in methods such as type.__getattribute__. When an attacker passes restricted attribute names as string constants (e.g., '__subclasses__'), these appear as ast.Constant nodes in the AST rather than ast.Attribute nodes. Since the filter only checks ast.Attribute nodes against the blocked list, these string constants pass through undetected.
This allows an attacker to use the type.__getattribute__ method as a trampoline to access blocked attributes dynamically at runtime, completely bypassing the intended security restrictions. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code), reflecting the code injection nature of the attack.
Root Cause
The root cause lies in the incomplete implementation of AST-based security filtering. The sandbox design assumes that all dangerous attribute accesses will appear as ast.Attribute nodes in the parsed AST. However, Python's dynamic nature allows attribute names to be passed as string constants and resolved at runtime via methods like type.__getattribute__. Since string literals are parsed as ast.Constant nodes, they evade the attribute blocklist check entirely.
This represents a fundamental misunderstanding of Python's attribute resolution mechanism. The filter should have either:
- Blocked calls to type.__getattribute__ and similar reflection methods
- Scanned string constants for dangerous attribute names
- Implemented runtime-level sandboxing rather than relying solely on static AST analysis
Attack Vector
The attack requires local access with user interaction to execute. An attacker crafts malicious Python code that leverages type.__getattribute__ to access blocked attributes indirectly. Instead of writing object.__subclasses__, which would be caught by the AST filter, the attacker uses type.__getattribute__(object, '__subclasses__'). The string '__subclasses__' is not recognized as an attribute access by the filter, allowing the code to pass validation and execute with full access to Python's introspection capabilities.
From there, the attacker can traverse the class hierarchy to locate dangerous classes (like those with access to os or subprocess), instantiate them, and execute arbitrary system commands. This effectively provides the attacker with full code execution privileges within the context of the PraisonAI process.
The attack mechanism involves passing restricted attribute names as string constants to bypass AST filtering. Since the _execute_code_direct function only inspects ast.Attribute nodes, string constants like '__subclasses__' are never checked against the blocklist. This allows attackers to use type.__getattribute__ as a trampoline to dynamically resolve and access blocked attributes at runtime. For detailed technical analysis, see the GitHub Security Advisory.
Detection Methods for CVE-2026-40158
Indicators of Compromise
- Presence of type.__getattribute__ or getattr calls with string arguments referencing __subclasses__, __globals__, or __bases__ in agent code submissions
- Unexpected process spawning or file system access from PraisonAI worker processes
- Agent code containing obfuscated or encoded string constants that resolve to blocked attribute names
- Anomalous system calls or network connections originating from the PraisonAI execution context
Detection Strategies
- Implement runtime monitoring of attribute access patterns within PraisonAI sandboxed code execution
- Deploy application-layer logging to capture all code submissions to _execute_code_direct for forensic analysis
- Use endpoint detection solutions to monitor for sandbox escape indicators such as unexpected child processes or system calls
- Implement string pattern matching for known dangerous attribute names in code submissions, not just AST-level filtering
Monitoring Recommendations
- Enable comprehensive logging for all code execution requests within PraisonAI agents
- Monitor process trees to detect unexpected subprocess creation from PraisonAI worker processes
- Implement file integrity monitoring on systems running PraisonAI to detect unauthorized modifications
- Set up alerts for any access attempts to sensitive system resources from sandboxed code contexts
How to Mitigate CVE-2026-40158
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.128 or later immediately
- Audit all agent code submissions for potential exploitation attempts using type.__getattribute__ patterns
- Consider temporarily disabling untrusted code execution capabilities until the patch is applied
- Review system logs for any signs of past exploitation attempts
Patch Information
The vulnerability is fixed in PraisonAI version 4.5.128. Organizations should update to this version or later to remediate the vulnerability. The patch addresses the AST filtering bypass by implementing more comprehensive security checks that account for dynamic attribute resolution methods.
For detailed patch information and security advisory, refer to the GitHub Security Advisory.
Workarounds
- Restrict code execution to trusted sources only until the patch can be applied
- Implement additional runtime sandboxing layers such as containerization or restricted user contexts
- Deploy network segmentation to limit the impact of potential sandbox escapes
- Consider using alternative sandboxing mechanisms like RestrictedPython or PyPy sandboxing as defense-in-depth measures
# Configuration example - Upgrade PraisonAI to patched version
pip install --upgrade praisonai>=4.5.128
# Verify installed version
pip show praisonai | grep Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
