CVE-2026-5594: premAI-io premsql RCE Vulnerability

CVE-2026-5594 Overview

A code injection vulnerability has been identified in premAI-io premsql versions up to and including 0.2.1. The vulnerability exists in the eval function within the file premsql/agents/baseline/workers/followup.py. An attacker can manipulate the result argument to inject and execute arbitrary code. This vulnerability is exploitable remotely over the network and a proof-of-concept exploit has been made publicly available.

Critical Impact

Remote attackers with low privileges can inject arbitrary code through the vulnerable eval function, potentially leading to remote code execution on systems running affected versions of premsql.

Affected Products

• premAI-io premsql versions up to 0.2.1
• Applications utilizing the premsql followup.py worker module
• Systems running premsql agents with the baseline worker configuration

Discovery Timeline

• 2026-04-05 - CVE-2026-5594 published to NVD
• 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-5594

Vulnerability Analysis

This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), commonly known as injection. The core issue stems from the unsafe use of Python's eval() function in the premsql/agents/baseline/workers/followup.py file. The eval() function is notoriously dangerous when used with untrusted input, as it executes arbitrary Python code passed to it as a string.

In this case, the result argument passed to the vulnerable function is not properly sanitized before being processed by eval(). This allows an attacker to craft malicious input that, when evaluated, executes arbitrary Python code on the target system. The vendor was contacted about this disclosure but did not respond.

Root Cause

The root cause of this vulnerability is the improper use of Python's eval() function without adequate input validation or sanitization. The result parameter in premsql/agents/baseline/workers/followup.py is directly processed by eval(), trusting user-controllable input to be safe. This violates secure coding principles that mandate never executing untrusted data as code.

The absence of input validation, type checking, or use of safer alternatives such as ast.literal_eval() for parsing data structures allows attackers to inject malicious code through the result argument.

Attack Vector

The attack can be carried out remotely over the network. An attacker with low privileges can craft a malicious payload in the result argument that will be executed when processed by the eval() function. Since the exploit has been publicly disclosed through proof-of-concept repositories, attackers have readily available tools to exploit this vulnerability.

The attack does not require user interaction and can be executed against any exposed instance of premsql running a vulnerable version. Successful exploitation can result in arbitrary code execution with the privileges of the premsql process.

For technical details on the exploitation mechanism, refer to the GitHub PoC Issue and GitHub PoC Script.

Detection Methods for CVE-2026-5594

Indicators of Compromise

• Unusual process execution spawned from Python processes running premsql
• Unexpected outbound network connections from systems running premsql agents
• Anomalous system commands or shell invocations in premsql application logs
• Presence of suspicious payloads in result parameter inputs containing Python code constructs

Detection Strategies

• Monitor premsql application logs for suspicious input patterns containing Python code injection attempts such as __import__, exec, eval, or os.system strings
• Implement network-level detection for anomalous traffic patterns to/from systems running premsql
• Deploy endpoint detection rules to identify unexpected child processes spawned by premsql Python processes
• Use web application firewall rules to filter requests containing common Python injection payloads

Monitoring Recommendations

• Enable verbose logging for premsql agent activities and monitor for malformed or suspicious result parameter values
• Implement runtime application self-protection (RASP) to detect and block code injection attempts
• Monitor file system changes and new process creation on systems running premsql
• Set up alerts for any eval() function calls with external input in application monitoring tools

How to Mitigate CVE-2026-5594

Immediate Actions Required

• Identify all instances of premsql versions 0.2.1 and earlier in your environment
• Restrict network access to systems running vulnerable premsql instances
• Implement input validation at the application boundary to filter potentially malicious result parameter values
• Consider temporarily disabling the affected followup worker functionality until a patch is available

Patch Information

No official patch information is currently available from the vendor. The vendor was contacted about this disclosure but did not respond. Organizations should monitor the premAI-io premsql repository for security updates. Until an official fix is released, implementing the recommended workarounds is strongly advised.

For additional vulnerability details, refer to VulDB #355388.

Workarounds

• Replace the vulnerable eval() function with ast.literal_eval() if only literal Python structures need to be parsed
• Implement strict input validation and sanitization for the result parameter before it reaches the vulnerable code path
• Deploy network segmentation to isolate systems running premsql from untrusted networks
• Use application-level firewalls to filter requests containing suspicious Python code patterns

# Configuration example - Restrict network access to premsql instances
# Using iptables to limit access to trusted sources only
iptables -A INPUT -p tcp --dport <premsql_port> -s <trusted_ip_range> -j ACCEPT
iptables -A INPUT -p tcp --dport <premsql_port> -j DROP

# Monitor for suspicious eval usage in application logs
grep -r "eval\|exec\|__import__" /var/log/premsql/