CVE-2026-42079: PPTAgent RCE Vulnerability

CVE-2026-42079 Overview

CVE-2026-42079 is an arbitrary code execution vulnerability in PPTAgent, an agentic framework for reflective PowerPoint generation. The framework passes large language model (LLM) generated code to Python's eval() function with built-in functions in scope. An attacker who can influence the LLM output, such as through a crafted input document or prompt, can execute arbitrary Python code in the host process. The issue is tracked under CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code. Maintainers patched the flaw in commit 418491a by restricting the evaluation environment.

Critical Impact

Successful exploitation grants full code execution in the PPTAgent process, leading to complete loss of confidentiality, integrity, and availability on the host running the framework.

Affected Products

• PPTAgent (icip-cas/PPTAgent) prior to commit 418491a
• Deployments embedding PPTAgent's pptagent/apis.py SlideRenderer logic
• PPTAgent MCP server deployments using pptagent/mcp_server.py

Discovery Timeline

• 2026-05-04 - CVE-2026-42079 published to NVD
• 2026-05-05 - CVE-2026-42079 last updated in NVD database

Technical Details for CVE-2026-42079

Vulnerability Analysis

PPTAgent uses an LLM to generate Python code that drives slide rendering and related operations. The framework executed that generated code using Python's built-in eval() function. Because eval() was called without restricting __builtins__, the evaluated expression had access to the full Python built-in namespace, including __import__, open, and exec. Any prompt path that lets an attacker steer LLM output toward Python expressions yields arbitrary code execution. The attack vector is local and requires user interaction, typically a user submitting a malicious document or prompt to the agent. Impact spans confidentiality, integrity, and availability because the executed code runs with the privileges of the PPTAgent process.

Root Cause

The root cause is unsafe dynamic evaluation of untrusted code [CWE-95]. The pre-patch implementation invoked eval() on LLM-generated strings without sandboxing the globals dictionary. With built-ins reachable, expressions such as __import__('os').system(...) execute directly. LLM output is functionally untrusted input because adversarial prompts and prompt-injected documents can shape it.

Attack Vector

An attacker supplies content, for example a PowerPoint source, table, or instruction, that causes the LLM to emit Python code containing malicious calls. PPTAgent then evaluates that code through eval(), executing the payload. Because PPTAgent reads referenced resources from the filesystem, paths outside the intended workspace can also be reached prior to the patch.

# Security patch in pptagent/apis.py (commit 418491a)
logger = get_logger(__name__)
TABLE_REGEX = re.compile(r".*table_[0-9a-fA-F]{4}\.png$")
SAFE_EVAL_GLOBALS = {"__builtins__": {}}


class SlideRenderer(HTMLRenderer):
    ...
# Source: https://github.com/icip-cas/PPTAgent/commit/418491a9a1c02d9d93194b5973bb58df35cf9d00

The patch introduces SAFE_EVAL_GLOBALS with an empty __builtins__ dictionary, removing access to built-in functions during evaluation. A second hunk in pptagent/mcp_server.py adds resolve_path_in_workspace to constrain file resolution to a defined workspace directory.

Detection Methods for CVE-2026-42079

Indicators of Compromise

• Unexpected Python child processes spawned by the PPTAgent runtime, especially python -c, sh, or bash invocations.
• Outbound network connections from the PPTAgent host to attacker-controlled hosts shortly after a slide generation request.
• Files written outside the PPTAgent workspace directory or modifications to ~/.ssh/authorized_keys and cron entries on Linux hosts.
• LLM trace logs containing strings such as __import__, eval(, exec(, or os.system inside generated code blocks.

Detection Strategies

• Audit PPTAgent's prompt and response logs for generated code that references __import__, subprocess, os, or socket.
• Compare deployed pptagent/apis.py against commit 418491a to confirm the presence of SAFE_EVAL_GLOBALS = {"__builtins__": {}}.
• Use endpoint detection and response (EDR) telemetry to flag the PPTAgent process spawning shells or interpreters.

Monitoring Recommendations

• Forward PPTAgent application logs and process telemetry into a centralized SIEM or data lake for correlation.
• Alert on PPTAgent process file writes outside its declared workspace path.
• Monitor for new outbound connections from the PPTAgent service account, which should typically only contact the LLM endpoint.

How to Mitigate CVE-2026-42079

Immediate Actions Required

• Upgrade PPTAgent to a build that includes commit 418491a or later.
• Run PPTAgent under a dedicated, low-privilege service account with no shell access.
• Restrict the host's outbound network egress to only the required LLM API endpoints.
• Treat any input documents processed by vulnerable PPTAgent versions as potentially attacker-influenced and review host integrity.

Patch Information

The vulnerability is fixed in PPTAgent commit 418491a. The patch sets SAFE_EVAL_GLOBALS = {"__builtins__": {}} so eval() runs without access to Python built-ins, and adds resolve_path_in_workspace to constrain filesystem access in the MCP server. Refer to the GitHub Security Advisory GHSA-89g2-xw5c-v95p for additional context.

Workarounds

• If patching is not immediately possible, run PPTAgent inside a container or sandbox with no network egress and a read-only filesystem outside its workspace.
• Apply the upstream change manually by replacing eval(expr) calls with eval(expr, {"__builtins__": {}}, {}) in forked deployments.
• Disable user-facing entry points that submit untrusted documents to PPTAgent until the patched version is deployed.

# Verify the patched commit is present in your deployment
cd PPTAgent
git log --oneline | grep 418491a
grep -n 'SAFE_EVAL_GLOBALS' pptagent/apis.py
# Expected output: SAFE_EVAL_GLOBALS = {"__builtins__": {}}