PraisonAI Patches Two Critical RCE Vulnerabilities in Agent Framework: Sandbox Escape and YAML Deserialization

PraisonAI, the open-source multi-agent framework built by Mervin Praison, disclosed two critical remote code execution vulnerabilities on April 8, 2026, and patched both the same day. Neither represents an active threat to teams running current releases. Together, they expose two distinct attack surfaces that any team running PraisonAI agents in production needs to understand.

CVE-2026-39888: Sandbox Escape via Exception Frame Traversal (CVSS 9.9)

The more severe of the two flaws, CVE-2026-39888, allows an attacker to escape PraisonAI’s Python code execution sandbox entirely.

The execute_code() function in praisonaiagents.tools.python_tools defaults to sandbox_mode="sandbox", which runs user code in a subprocess with a restricted __builtins__ dictionary and an AST-based blocklist. The problem: the blocklist applied inside the subprocess wrapper contains only 11 attribute names, according to the GitLab Advisory Database. The direct-execution path blocks over 30. Four attributes critical for frame traversal, __traceback__, tb_frame, f_back, and f_builtins, are absent from the subprocess blocklist entirely.

An attacker can trigger a caught exception, chain those four unblocked attributes to walk up the call stack, retrieve the real Python builtins dictionary from the subprocess wrapper frame, pull out exec, and run arbitrary code. The GitHub advisory (GHSA-qf73-2hrx-xprp) confirms the flaw was tested and verified on praisonaiagents version 1.5.113 under Python 3.10.

Exploitation requires no authentication and can be performed remotely over the network, according to TheHackerWire’s analysis. The fix ships in version 1.5.115.

CVE-2026-39890: YAML Deserialization RCE (CVSS 9.8)

The second vulnerability, CVE-2026-39890, targets a different component: agent definition loading.

PraisonAI’s AgentService.loadAgentFromFile method uses the js-yaml library to parse YAML files without disabling dangerous tags like !!js/function and !!js/undefined, according to the GitLab advisory. An attacker who can upload a malicious YAML agent definition file can embed arbitrary JavaScript that executes when the server parses the file. No public proof-of-concept exists at time of writing, but the attack path is straightforward: craft a YAML payload with dangerous tags, upload it to the API endpoint that accepts agent definitions, and the server executes the embedded code.

The CVSS score of 9.8 implies low or no authentication requirements. The fix ships in version 4.5.115.

Two Attack Surfaces, One Pattern

The two CVEs target completely separate components (Python sandbox vs. YAML parser) on separate codebases (praisonaiagents vs. praisonai), but they share a root cause: security controls that exist in one execution path but not another.

CVE-2026-39888’s blocklist discrepancy (11 items vs. 30+ items between subprocess and direct execution) is a textbook example of inconsistent enforcement across trust boundaries. CVE-2026-39890’s failure to disable dangerous YAML tags is a known anti-pattern that has produced critical vulnerabilities in dozens of projects over the past decade.

Who Needs to Act

Teams running PraisonAI agents in production should upgrade praisonaiagents to version 1.5.115 or later, and praisonai to version 4.5.115 or later. Anyone accepting agent definition files from external sources should treat this as an emergency patch.

For agent framework developers more broadly, the PraisonAI disclosures reinforce a pattern that has become persistent in 2026: sandbox implementations that look secure in the primary execution path often have weaker enforcement in secondary paths. Auditing the secondary paths first would have caught both of these flaws.