CVE-2026-40156— PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

PraisonAI Affected by Implicit Execution of Arbitrary Code via Automatic `tools.py` Loading

PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI automatically loads a file named tools.py from the current working directory to discover and register custom agent tools. This loading process uses importlib.util.spec_from_file_location and immediately executes module-level code via spec.loader.exec_module() without explicit user consent, validation, or sandboxing. The tools.py file is loaded implicitly, even when it is not referenced in configuration files or explicitly requested by the user. As a result, merely placing a file named tools.py in the working directory is sufficient to trigger code execution. This behavior violates the expected security boundary between user-controlled project files (e.g., YAML configurations) and executable code, as untrusted content in the working directory is treated as trusted and executed automatically. If an attacker can place a malicious tools.py file into a directory where a user or automated system (e.g., CI/CD pipeline) runs praisonai, arbitrary code execution occurs immediately upon startup, before any agent logic begins. This vulnerability is fixed in 4.5.128.

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

对生成代码的控制不恰当(代码注入)

PraisonAI 安全漏洞

PraisonAI是Mervin Praison个人开发者的一个低代码多智能体协作框架。 PraisonAI 4.5.128之前版本存在安全漏洞，该漏洞源于自动加载并执行工作目录中的tools.py文件，可能导致任意代码执行。

N/A

N/A