CVE-2026-40287 Overview
CVE-2026-40287 is an arbitrary code execution vulnerability affecting PraisonAI, a multi-agent teams system. The vulnerability exists in versions 4.5.138 and below, where the application automatically imports a tools.py file from the current working directory without any validation, sandboxing, or user confirmation. This unsanitized import behavior allows attackers to execute arbitrary Python code in the host environment.
Critical Impact
An attacker who can place a malicious tools.py file in the directory where PraisonAI is launched can achieve immediate arbitrary Python code execution, compromising the full PraisonAI process, the host system, and any connected data or credentials.
Affected Products
- PraisonAI versions 4.5.138 and below
- Components: call.py (import_tools_from_file())
- Components: tool_resolver.py (_load_local_tools())
- CLI tool-loading paths
Discovery Timeline
- 2026-04-14 - CVE CVE-2026-40287 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-40287
Vulnerability Analysis
This vulnerability is classified as Code Injection (CWE-94), where the application blindly imports and executes code from an untrusted source. The attack requires local access to place a malicious file in a directory where PraisonAI will be executed, making it particularly dangerous in shared development environments, collaborative workspaces, or when users clone untrusted repositories.
The vulnerability stems from a fundamental trust assumption in the application's design—that files in the current working directory are inherently trustworthy. This assumption fails in modern development workflows where directories may contain files from multiple sources with varying levels of trust.
Root Cause
The root cause is the automatic, unsanitized import of ./tools.py at startup across multiple components of PraisonAI. The affected components include:
- call.py - Contains import_tools_from_file() function that performs the import
- tool_resolver.py - Contains _load_local_tools() function with similar behavior
- CLI tool-loading paths that blindly import from the working directory
These components execute Python code from the local tools.py file without performing any integrity checks, signature validation, sandboxing, or prompting the user for confirmation.
Attack Vector
The attack vector is local, requiring an attacker to place a malicious tools.py file in a directory where a user will execute PraisonAI. Common attack scenarios include:
- Supply chain attacks: A malicious tools.py hidden in a cloned repository
- Shared workspace compromise: Placing the file in a shared project directory
- Writable workspace exploitation: Writing to directories where developers commonly run the tool
When PraisonAI is launched, it automatically imports the malicious file, executing any Python code contained within. This grants the attacker the same privileges as the user running PraisonAI, enabling data exfiltration, credential theft, backdoor installation, or further lateral movement within the environment.
The vulnerability mechanism involves Python's import system executing arbitrary code when the tools.py module is loaded. When PraisonAI components call import functions on ./tools.py, any top-level code in that file is immediately executed, allowing attackers to run malicious payloads before the application even completes initialization. For technical details, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-40287
Indicators of Compromise
- Unexpected tools.py files appearing in project directories or workspaces where PraisonAI is executed
- Unusual network connections or process spawning originating from PraisonAI processes
- Suspicious Python import activities in directories not typically associated with the user's legitimate workflows
Detection Strategies
- Monitor file system activity for creation or modification of tools.py files in directories where PraisonAI is commonly executed
- Implement application allowlisting to detect unauthorized code execution from Python processes
- Analyze process trees for unexpected child processes spawned by PraisonAI
Monitoring Recommendations
- Enable file integrity monitoring on development workspaces and shared project directories
- Configure endpoint detection to alert on Python processes importing modules from writable user directories
- Review audit logs for PraisonAI execution in directories containing recently modified tools.py files
How to Mitigate CVE-2026-40287
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.139 or later immediately
- Audit all directories where PraisonAI has been executed for suspicious tools.py files
- Review recently cloned repositories or shared workspaces for unauthorized files
Patch Information
This vulnerability has been fixed in PraisonAI version 4.5.139. The fix addresses the unsanitized import behavior in call.py, tool_resolver.py, and CLI tool-loading paths. Users should upgrade to the patched version as soon as possible. For additional information, see the GitHub Security Advisory.
Workarounds
- Before running PraisonAI, manually inspect the current working directory for any tools.py files that should not be present
- Execute PraisonAI from dedicated, clean directories with restricted write permissions
- Implement directory-level access controls to prevent unauthorized file creation in development workspaces
# Configuration example
# Upgrade PraisonAI to the patched version
pip install --upgrade praisonai>=4.5.139
# Verify the installed version
pip show praisonai | grep Version
# Check for suspicious tools.py files before running PraisonAI
find . -name "tools.py" -type f -ls
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
