PraisonAI Flaw: Arbitrary Code Execution via Unsanitized Tool Imports

The National Vulnerability Database (NVD) has detailed a critical arbitrary code execution vulnerability, CVE-2026-40287, affecting PraisonAI’s multi-agent teams system. Versions 4.5.138 and below are at risk due to the system’s automatic and unsanitized import of a tools.py file from the current working directory. This isn’t just a minor oversight; it’s a gaping hole.

Key components like call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and various CLI tool-loading paths blindly import ./tools.py at startup. There’s no validation, no sandboxing, and absolutely no user confirmation. This means if an attacker can drop a malicious tools.py file into the directory where PraisonAI is initiated – perhaps through a shared project, a cloned repository, or even a writable workspace – they gain immediate arbitrary Python code execution. We’re talking full compromise: the PraisonAI process, the host system, and any connected data or credentials are all fair game. This issue has since been patched in version 4.5.139, but the implications for unpatched systems are severe, as reflected by its CVSS score of 8.4 (HIGH).