AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-4mr5-g6f9-cfrh: PraisonAI vulnerable to sandbox escape via `print.self` builtins module leak in `execute_code` (subprocess mode)

criticalvulnerability

security

Source: GitHub Advisory DatabaseMay 29, 2026CVE-2026-47392

Summary

PraisonAI's `execute_code()` function has a critical sandbox escape vulnerability that allows attackers to execute arbitrary commands on the host system. The vulnerability exploits four gaps in security validation: the `__self__` attribute (which retrieves the real Python builtins module) is not blocked, the `vars()` function is not restricted, attribute-based function calls bypass checks, and string concatenation bypasses string constant filters. An attacker can use these gaps to access the `__import__` function and run OS commands, completely defeating the sandbox protection.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 29, 2026

Classification

Attack SophisticationModerate

Impact (CIA+S)

confidentialityintegrityavailability

Affected Vendors

LangChain

Affected Packages

PraisonAI@<= 4.6.39 (fixed: 4.6.40)praisonaiagents@<= 1.6.39 (fixed: 1.6.40)

Related Issues

medium

CVE-2026-34371: LibreChat is a ChatGPT clone with additional features. Prior to 0.8.4, LibreChat trusts the name field returned by the e

Same vendorNVD/CVE Database

critical

CVE-2024-27444: langchain_experimental (aka LangChain Experimental) in LangChain before 0.1.8 allows an attacker to bypass the CVE-2023-

Same vendor

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-4mr5-g6f9-cfrh

First tracked: May 29, 2026 at 08:00 PM

Classified by LLM (prompt v3) · confidence: 92%

GHSA-4mr5-g6f9-cfrh: PraisonAI vulnerable to sandbox escape via `print.__self__` builtins module leak in `execute_code` (subprocess mode)