Intel

AIKIDO-2026-224340

banks is vulnerable to Unsafe Reflection

Unsafe Reflection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

60

Medium Risk

This Affects:

PYTHONbanks
1.4.0 - 2.4.2
Fixed in 2.4.3
Are you affected? Scan for Free

TL;DR

The completion extension resolves tool callables by reading each tool's import_path and loading it dynamically with importlib.import_module and getattr. Tool definitions are parsed from the rendered completion body, so an import_path influenced by untrusted prompt or tool data can point to arbitrary modules and functions such as os.system. When the model issues a matching tool call, the resolved callable is invoked with model-supplied arguments, enabling arbitrary code execution on the host. The fix removes the dynamic importlib lookup, resolves tools only from an explicit allowlisted callable registry populated by the tool filter, and stops sending import_path to the model.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the {% completion %} function-calling feature with tool definitions that can be influenced by untrusted input.

Background info

banks is vulnerable to Unsafe Reflection in versions 1.4.0 - 2.4.2.

How to fix this

Upgrade the banks library to the patch version.