{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39888", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-07T20:32:03.011Z", "datePublished": "2026-04-08T20:41:56.680Z", "dateUpdated": "2026-04-09T20:21:16.297Z"}, "containers": {"cna": {"title": "PraisonAIAgents has a sandbox escape via exception frame traversal in `execute_code` (subprocess mode)", "problemTypes": [{"descriptions": [{"cweId": "CWE-657", "lang": "en", "description": "CWE-657: Violation of Secure Design Principles", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qf73-2hrx-xprp", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qf73-2hrx-xprp"}], "affected": [{"vendor": "MervinPraison", "product": "praisonaiagents", "versions": [{"version": "< 1.5.115", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-08T20:41:56.680Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode=\"sandbox\", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names \u2014 a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name \u2014 bypassing every remaining security layer. This vulnerability is fixed in 1.5.115."}], "source": {"advisory": "GHSA-qf73-2hrx-xprp", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:20:32.970513Z", "id": "CVE-2026-39888", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:21:16.297Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "34CC1B67-7607-48E7-BDB4-18F2E011807B", "versionEndExcluding": "1.5.115", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 1.5.115, execute_code() in praisonaiagents.tools.python_tools defaults to sandbox_mode=\"sandbox\", which runs user code in a subprocess wrapped with a restricted __builtins__ dict and an AST-based blocklist. The AST blocklist embedded inside the subprocess wrapper (blocked_attrs of python_tools.py) contains only 11 attribute names \u2014 a strict subset of the 30+ names blocked in the direct-execution path. The four attributes that form a frame-traversal chain out of the sandbox are all absent from the subprocess list (__traceback__, tb_frame, f_back, and f_builtins). Chaining these attributes through a caught exception exposes the real Python builtins dict of the subprocess wrapper frame, from which exec can be retrieved and called under a non-blocked variable name \u2014 bypassing every remaining security layer. This vulnerability is fixed in 1.5.115."}], "id": "CVE-2026-39888", "lastModified": "2026-04-15T18:02:58.940", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-08T21:17:00.990", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qf73-2hrx-xprp"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-657"}, {"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.115)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "praisonaiagents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-08T23:14:48.703054+00:00", "value": {"mitigation_remediation": ["Upgrade to PraisonAIAgents version 1.5.115 or later", "If an upgrade is not immediately possible, disable or remove any use of python_tools.execute_code in subprocess mode", "Ensure that all interfaces that invoke execute_code are protected by strong authentication and authorization controls", "Monitor logs for abnormal exception patterns that may indicate abuse of the sandbox escape"], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "MervinPraison\u2019s PraisonAI agents, version 1.5.115 and earlier, are affected. No other vendors or product versions are listed in the advisory.", "description_and_impact": "PraisonAIAgents includes a sandbox escape flaw in its execute_code method when operating in subprocess mode. The method runs user code in a restricted subprocess with a limited __builtins__ dictionary and an abstract syntax tree blocklist. In the vulnerability, four attribute names that enable frame traversal are omitted from the subprocess blocklist. By chaining these attributes through a caught exception, a malicious caller can surface the real Python builtins dictionary of the wrapper frame, retrieve the exec function under an unblocked name, and thereby execute arbitrary code, bypassing all remaining security controls. The weakness is classified as CWE\u2011657 and CWE\u2011693.", "risk_and_exploitability": "The base CVSS score is 10, indicating maximum severity. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker who can supply code to execute_code\u2014such as through an exposed API, plugin interface, or other code payload mechanism\u2014can trigger the exception chain without requiring elevated system privileges. This makes exploitation relatively straightforward for any user with access to the vulnerable function."}}}}, "created": "2026-04-09T08:17:52.481042+00:00", "updated": "2026-04-09T08:27:15.881866+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonaiagents"]}