CVE-2026-47392

PraisonAI Sandbox Escape via print.__self__ Builtins Leak in execute_code

Execution Privilege Escalation Lateral Movement Last updated:

Detects exploitation of CVE-2026-47392, a critical sandbox escape vulnerability in PraisonAI (praisonaiagents <= 1.6.39, PraisonAI <= 4.6.39). The flaw allows attackers to leak the Python builtins module through `print.__self__` within the `execute_code` subprocess mode, bypassing sandbox restrictions and achieving arbitrary code execution on the host. A public proof-of-concept is available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
praisonaiagents, PraisonAI
Versions
<= 1.6.39, <= 4.6.39

Weakness (CWE)

CWE-184CWE-693

Timeline

Disclosed
May 29, 2026

CVSS

9.9
Critical (9.0–10)
Read the write-up →

What is CVE-2026-47392 PraisonAI Sandbox Escape via print.__self__ Builtins Leak in execute_code?

PraisonAI Sandbox Escape via print.__self__ Builtins Leak in execute_code (CVE-2026-47392) maps to the Execution and Privilege Escalation and Lateral Movement tactics — the adversary is trying to run malicious code in MITRE ATT&CK.

This page provides production-ready detection logic for PraisonAI Sandbox Escape via print.__self__ Builtins Leak in execute_code, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Execution Privilege Escalation Lateral Movement
Microsoft Sentinel / Defender
kusto 
union DeviceProcessEvents, DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| where InitiatingProcessCommandLine has_any ("praisonai", "praisonaiagents") or ProcessCommandLine has_any ("praisonai", "praisonaiagents")
| where ProcessCommandLine has_any ("print.__self__", "__builtins__", "execute_code", "subprocess") or InitiatingProcessCommandLine has_any ("print.__self__", "__builtins__", "execute_code")
| extend SuspiciousIndicator = case(
    ProcessCommandLine has "print.__self__", "BuiltinsLeak",
    ProcessCommandLine has "__import__", "DynamicImport",
    ProcessCommandLine has "os.system" or ProcessCommandLine has "subprocess.Popen", "ShellExecution",
    "Unknown"
  )
| project TimeGenerated, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessCommandLine, SuspiciousIndicator, RemoteIP, RemotePort
| order by TimeGenerated desc

Detects process executions involving PraisonAI with indicators of sandbox escape attempts, including builtins module access patterns and subprocess shell execution following praisonai invocation.

critical severity high confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceProcessEvents DeviceNetworkEvents

Required Tables

DeviceProcessEvents DeviceNetworkEvents

False Positives

  • Legitimate PraisonAI developer testing and debugging sessions accessing builtins intentionally
  • Security researchers running authorized PoC validation in isolated lab environments
  • Automated CI/CD pipelines executing PraisonAI test suites that include sandbox boundary tests
  • Python developers using print.__self__ for introspection in non-malicious contexts outside PraisonAI

Sigma rule & cross-platform mapping

The detection logic for PraisonAI Sandbox Escape via print.__self__ Builtins Leak in execute_code (CVE-2026-47392) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-47392 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-47392

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1PraisonAI Builtins Leak via print.__self__ in execute_code

    Expected signal: Process spawn: python3 executing praisonaiagents code_tools module; child process executing 'id' command via os.popen; stdout contains 'SANDBOX_ESCAPE_SUCCESS' followed by uid/gid output

  2. Test 2PraisonAI Sandbox Escape to Reverse Shell

    Expected signal: Process tree: python3 -> praisonaiagents -> bash -c 'bash -i' with network connection to 127.0.0.1:4444; network telemetry showing TCP connection from python process

  3. Test 3PraisonAI Sandbox Escape with Credential File Exfiltration

    Expected signal: File open event on /tmp/lab_creds.txt by python process; outbound HTTP POST to 127.0.0.1:8888 from PraisonAI process; process command line contains __builtins__ and os.system invocation

Unlock Pro Content

Get the full detection package for CVE-2026-47392 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0002ExecutionTA0004Privilege EscalationTA0008Lateral Movement

Related Techniques

T1059.006PythonT1203Exploitation for Client ExecutionT1068Exploitation for Privilege Escalation

Same Tactic: Execution

Popular Detections