
At a Glance
CVE-2026-47392
Identifier
9.9 Critical
Severity
Network
Attack Vector
PraisonAI
Affected Product
A critical vulnerability in the PraisonAI agent framework allows for a complete sandbox escape. The flaw, tracked as CVE-2026-47392, carries a 9.9 Critical CVSS score. It enables an attacker to run arbitrary commands on the host machine, bypassing the framework's intended security boundaries. All versions of the `praisonaiagents` package up to 1.6.37 are affected [2].
An Agent's Path to Host Control
The PraisonAI framework gives AI agents a tool to execute Python code. This feature is meant to operate within a sandbox to prevent malicious or unintended actions. The vulnerability allows an agent, or an attacker influencing one, to break out of this containment. An attacker can achieve this through prompt injection or by providing malicious input for the agent to process.
The exploit requires just a few lines of code. It begins by accessing the `__self__` attribute of the built-in `print` function. This trick leaks a reference to Python's core `builtins` module. From there, the attacker can access the `vars()` function to list all available built-ins, including the powerful `__import__` function.
To evade simple string detection, the exploit constructs the name `__import__` at runtime from smaller pieces. Once the `__import__` function is obtained, the agent can load any standard Python library. Loading the `os` module provides direct access to the host operating system, enabling arbitrary command execution.
OPERATOR ACTION
Apply the vendor's short-term fix by adding '__self__' to the blocked attributes list in your configuration.
Why The Sandbox Failed
The sandbox escape was possible due to multiple gaps in the security validation logic. The primary oversight was the failure to block access to the `__self__` attribute. In Python, this attribute on C-level functions reveals the module they belong to, providing a direct path to the `builtins` module.
The security model also failed to block the use of the `vars()` function. This function was not on the denylist of either dangerous functions or blocked attributes. This allowed the attacker to convert their module reference into a dictionary of callable functions, including sensitive ones the sandbox was designed to block [1].
Further weaknesses existed in the Abstract Syntax Tree (AST) checks. The system only checked for dangerous function calls when they were simple names like `exec()`. It did not detect calls made through attributes like `module.exec()` or dictionary lookups like `dict["exec"]()`. This common flaw in AST-based sandboxes makes them easy to circumvent.
A Pattern of Patches and Bypasses
This vulnerability is especially concerning because it bypasses all previous security patches for the tool. The exploit successfully defeats mitigations put in place for three prior CVEs. This demonstrates the fragility of a security model based on blocking known-bad patterns.
The incident highlights a fundamental challenge in securing agentic systems. When an autonomous agent is granted the ability to execute code, its security relies entirely on its containment. A flawed sandbox does not just create a vulnerability; it turns the agent itself into a potential vector for a complete system takeover.
Denylist-based sandboxes are inherently difficult to secure. For every blocked function or attribute, creative attackers can often find an unblocked alternative to achieve their goals. The design of dynamic languages like Python provides a vast surface area for such bypasses.
Detection and Remediation
The immediate fix involves adding `__self__` to the frozenset of blocked attributes in the tool's source code. This closes the specific entry point used in this exploit. The vendor has provided this guidance in their security advisory [2].
Developers should also implement additional hardening measures. These include adding `vars` to the list of blocked functions and expanding AST checks to detect dangerous calls made through attributes or subscripts. Another defense is to analyze code for binary operations that concatenate strings into forbidden keywords.
For long-term security, teams should consider moving away from in-process code execution entirely. True process isolation provides a much stronger security boundary than application-level sandboxes. Technologies like OS-level sandboxing with gVisor, WebAssembly runtimes, or simple containerized execution offer superior and more reliable isolation for agentic workloads.
References
- GitHub Security Advisory (GHSA-4mr5-g6f9-cfrh). https://github.com/advisories/GHSA-4mr5-g6f9-cfrh (accessed 2026-06-01).
- Vendor security advisory (github.com). https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4mr5-g6f9-cfrh (accessed 2026-06-01).
About Helixar Research Labs
Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.
Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.
If you run agents in production, this is for you. Learn more at helixar.ai.