CVE-2026-4965 Overview
A code injection vulnerability has been identified in letta-ai letta version 0.16.4. This vulnerability affects the resolve_type function within the file letta/functions/ast_parsers.py and represents an incomplete fix for CVE-2025-6101. The flaw allows for improper neutralization of directives in dynamically evaluated code (CWE-94), enabling attackers to potentially execute arbitrary code through crafted inputs.
Critical Impact
Remote attackers can exploit this vulnerability to inject and execute malicious code through the improperly sanitized AST parser function, potentially leading to unauthorized system access, data manipulation, or service disruption.
Affected Products
- letta-ai letta version 0.16.4
- Potentially earlier versions with the incomplete CVE-2025-6101 fix
Discovery Timeline
- 2026-03-27 - CVE-2026-4965 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-4965
Vulnerability Analysis
This vulnerability stems from an incomplete remediation of CVE-2025-6101 in the letta-ai letta project. The resolve_type function in letta/functions/ast_parsers.py fails to properly neutralize malicious directives when dynamically evaluating code. This allows an attacker to craft inputs that bypass the security measures implemented in the previous patch, resulting in code injection.
The attack can be initiated remotely without requiring authentication, making it accessible to unauthenticated attackers across the network. Successful exploitation could result in limited impacts to confidentiality, integrity, and availability of the affected system.
Root Cause
The root cause of this vulnerability lies in insufficient input validation and sanitization within the resolve_type function. When the original CVE-2025-6101 was patched, the fix did not adequately address all potential attack vectors for code injection through dynamic code evaluation. The incomplete sanitization allows specially crafted input to bypass the implemented security controls and execute arbitrary code within the application context.
Attack Vector
The attack vector for CVE-2026-4965 is network-based, meaning exploitation can occur remotely without physical access to the target system. An attacker can exploit this vulnerability by:
- Identifying an exposed letta-ai letta instance running version 0.16.4 or earlier
- Crafting malicious input that targets the resolve_type function
- Submitting the crafted payload through the network interface
- The improperly sanitized input is processed by the AST parser
- The malicious directives are evaluated, resulting in code execution
A proof-of-concept exploit has been publicly disclosed. Technical details are available in the GitHub Gist PoC and VulDB entry. Note that the vendor was contacted about this vulnerability but did not respond.
Detection Methods for CVE-2026-4965
Indicators of Compromise
- Unusual or unexpected code execution patterns originating from the letta application
- Log entries showing malformed or suspicious inputs to the resolve_type function
- Anomalous network traffic patterns targeting letta-ai endpoints
- Process spawning or system calls initiated from the letta application context
Detection Strategies
- Monitor application logs for suspicious input patterns targeting AST parsing functions
- Implement network intrusion detection rules to identify exploit attempts
- Deploy web application firewall (WAF) rules to filter malicious payloads
- Use SentinelOne's behavioral AI to detect anomalous code execution patterns
Monitoring Recommendations
- Enable verbose logging for the letta-ai application, particularly for the ast_parsers.py module
- Set up alerts for any unexpected process creation from the letta application
- Monitor for outbound network connections from the application that may indicate successful exploitation
- Implement file integrity monitoring on critical application files
How to Mitigate CVE-2026-4965
Immediate Actions Required
- Assess whether letta-ai letta version 0.16.4 is deployed in your environment
- Implement network-level access controls to restrict exposure of affected instances
- Apply input validation at the network perimeter using WAF rules
- Monitor for exploitation attempts while awaiting a vendor patch
Patch Information
At the time of this advisory, the vendor (letta-ai) has not responded to disclosure communications and no official patch is available. Organizations using letta-ai letta should:
- Monitor the official letta-ai repository for security updates
- Review the VulDB advisory for updated remediation guidance
- Consider temporary workarounds until an official fix is released
Workarounds
- Restrict network access to letta-ai instances using firewall rules or network segmentation
- Implement strict input validation at the application boundary before data reaches the resolve_type function
- Consider disabling or restricting functionality that relies on the vulnerable AST parsing component
- Deploy runtime application self-protection (RASP) solutions to detect and block exploitation attempts
Organizations should implement defense-in-depth strategies including network segmentation, strict access controls, and enhanced monitoring until an official patch becomes available from the vendor.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
