CRITICAL🇵🇱 Wersja polska

CVE-2026-40288

CVSS 9.8v3.1pub. 2026-04-14upd. 2026-04-20

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.

🤖 AI Analysis
How it works

When the command `praisonai workflow run <file.yaml>` loads a YAML file containing a `type: job` entry, the JobWorkflowExecutor component processes steps handling three execution vectors: `run:` (shell commands via subprocess.run()), `script:` (inline Python via exec()), and `python:` (execution of arbitrary Python scripts). All these code paths — action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py — operate without any security controls. An attacker who is able to provide or influence the content of a YAML file (e.g., in code repositories, CI/CD pipelines, or multi-tenant environments) can thus trigger the execution of arbitrary commands on the host.

Impact

An attacker can achieve full execution of arbitrary commands and code on the host system (RCE), leading to machine compromise, data theft, and theft of stored credentials.

Mitigation & patch

PraisonAI should be updated to version 4.5.139 or newer and praisonaiagents to version 1.5.140 or newer. As a supplementary measure, the ability to provide or modify YAML workflow files should be restricted to trusted users, particularly in CI/CD environments, shared repositories, and multi-tenant deployments.

Who is affected

PraisonAI in versions below 4.5.139 and praisonaiagents in versions below 1.5.140

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Praison Praisonai

    APP
    Praison
    < 4.5.139
  • Praison Praisonaiagents

    APP
    Praison
    < 1.5.140
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
RCECommand Injection
CWE
References

Related vulnerabilities

CVE-2026-41497CRITICAL9.8PL ✓ten sam produkt

Command Injection w PraisonAI — brak walidacji poleceń MCP

CVE-2026-44336CRITICAL9.4PL ✓ten sam produkt

Path Traversal i RCE w PraisonAI MCP Server (serwer narzędzi plikowych)

CVE-2026-40289CRITICAL9.1PL ✓ten sam produkt

PraisonAI – nieuwierzytelnione przejęcie sesji przeglądarki przez WebSocket

CVE-2026-40313CRITICAL9.1PL ✓ten sam produkt

PraisonAI – wyciek tokenów GitHub przez atak ArtiPACKED w CI/CD

CVE-2026-40157CRITICAL9.4PL ✓ten sam produkt

Path traversal w PraisonAI — nadpisywanie plików przez złośliwy pakiet .praison