CVE-2026-39888
CVE-2026-39888 is a critical-severity vulnerability in Praison Praisonai with a CVSS 3.x base score of 9.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-657.
Key facts
- Severity: Critical (CVSS 3.x base score 9.9)
- EPSS exploit prediction: 1% (42nd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-20635
- Weakness: CWE-657
- Affected product: Praison Praisonai
- Published:
- Last modified:
Description
PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.
Frequently asked questions
- What is CVE-2026-39888?
- PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names — a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name — bypassing every remaining security layer. This vulnerability is fixed in 1.5.115.
- How severe is CVE-2026-39888?
- CVE-2026-39888 has a CVSS 3.x base score of 9.9, rated critical severity. It is exploitable over network with low attack complexity, requires low privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2026-39888 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (42nd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-39888?
- CVE-2026-39888 affects Praison Praisonai. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-39888?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- Does CVE-2026-39888 have an EU (EUVD) identifier?
- Yes. CVE-2026-39888 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-20635.
- When was CVE-2026-39888 published?
- CVE-2026-39888 was published on 2026-04-08 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
More vulnerabilities in Praison Praisonai
- CVE-2026-41497 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not…
- CVE-2026-40315 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. Prior to 4.5.133, there is an SQL identifier injection vulnerability in…
- CVE-2026-40288 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the…
- CVE-2026-39890 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. Prior to 4.5.115, the AgentService.loadAgentFromFile method uses the js-yaml…
- CVE-2026-34935 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed…
- CVE-2026-34934 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. Prior to version 4.5.90, the get_all_user_threads function constructs raw SQL…
All CVEs affecting Praison Praisonai →
Other CWE-657 vulnerabilities
- CVE-2023-29320 — High (CVSS 7.8): Adobe Acrobat Reader versions 23.003.20244 (and earlier) and 20.005.30467 (and earlier) are affected by an Violation of…
- CVE-2019-0061 — High (CVSS 7.8): The management daemon (MGD) is responsible for all configuration and management operations in Junos OS. The Junos CLI…
- CVE-2023-52714 — High (CVSS 7.5): Vulnerability of defects introduced in the design process in the hwnff module. Impact: Successful exploitation of this…
- CVE-2021-28583 — High (CVSS 7.5): Magento versions 2.4.2 (and earlier), 2.4.1-p1 (and earlier) and 2.3.6-p1 (and earlier) are affected by a Violation of…
- CVE-2022-28244 — Medium (CVSS 6.3): Acrobat Reader DC versions 22.001.20085 (and earlier), 20.005.3031x (and earlier) and 17.012.30205 (and earlier) is…
- CVE-2021-36061 — Medium (CVSS 5.4): Adobe Connect version 11.2.2 (and earlier) is affected by a secure design principles violation vulnerability via the…