PraisonAI RCE (CVE-2026-39888)

Overview

A critical sandbox escape vulnerability, CVE-2026-39888, has been identified in the PraisonAI multi-agent framework. The flaw resides in the execute_code() tool, which is designed to run user-provided Python code in a restricted environment. Due to an incomplete security blocklist, this sandbox can be fully bypassed.

Technical Details

In affected versions prior to 1.5.115, the execute_code() function defaults to running code in a subprocess sandbox. This sandbox uses an AST-based blocklist to prevent access to dangerous attributes. However, the blocklist applied within this subprocess contains only 11 entries, missing critical attributes that are blocked in other execution paths.

Specifically, the four attributes __traceback__, tb_frame, f_back, and f_builtins are not blocked. An attacker can chain these attributes through a caught exception to traverse execution frames, ultimately accessing the real Python builtins dictionary of the sandbox wrapper process. From there, they can retrieve the exec function and execute arbitrary, unrestricted code, completely bypassing all intended security layers.

Impact

The vulnerability has a CVSS v3.1 score of 9.9 (CRITICAL). With a low attack complexity and no required user interaction, a remote attacker with low privileges could exploit this flaw to execute arbitrary operating system commands on the host running the vulnerable PraisonAI instance. This can lead to a full compromise of the server, data theft, and further lateral movement within a network.

Remediation and Mitigation

The primary and only complete mitigation is to update PraisonAI to version 1.5.115 or later, where this vulnerability has been patched.

Immediate Actions:

1. Upgrade: All users must upgrade their PraisonAI installation to version 1.5.115 immediately.
2. Inventory: Identify all development, testing, and production deployments using PraisonAI agents that leverage code execution capabilities.
3. Restrict Access: As a temporary measure if immediate patching is impossible, restrict network access to affected services to only trusted sources. However, this does not eliminate the risk from authorized but malicious users.

Security Insight

This vulnerability highlights the acute danger of “reinventing the wheel” for core security functions like sandboxing. The discrepancy between two internal blocklists suggests ad-hoc, rather than systematic, security controls. It echoes historical sandbox escapes in other platforms, where incomplete attribute blocking led to full compromise, underscoring that secure code execution remains one of the most perilous features to implement. As AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis, the rush to integrate powerful AI capabilities can outpace the maturity of their underlying security foundations.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs