Cyber Resilience

CVE-2026-40088

CriticalPublic PoCRCE

Published: 09 April 2026

Published
09 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0042 33.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-40088 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40088 is a command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.121. The execute_command function and workflow shell execution components are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls. This exposure allows attackers to inject arbitrary shell commands through shell metacharacters.

Unauthenticated remote attackers can exploit the vulnerability over the network with low complexity and no privileges required, though user interaction is needed. By crafting malicious inputs such as workflows or tool calls, attackers can trick users into triggering execution, achieving arbitrary shell command injection on the host system. This results in high impacts to confidentiality, integrity, and availability, with a changed scope, yielding a CVSS v3.1 base score of 9.6.

The vulnerability is addressed in PraisonAI version 4.5.121. The GitHub security advisory (GHSA-2763-cj5r-c79m) and release notes for v4.5.121 detail the fix and recommend upgrading immediately.

This vulnerability has relevance to AI/ML deployments, as it involves LLM-generated tool calls in a multi-agent framework. No public information on real-world exploitation is available.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.…

more

This vulnerability is fixed in 4.5.121.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: llm

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection in exposed shell execution components of a network-accessible application directly enables remote exploitation of public-facing apps (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34935Same product: Praison Praisonai
CVE-2026-41497Same product: Praison Praisonai
CVE-2026-34955Same product: Praison Praisonai
CVE-2026-34953Same product: Praison Praisonai
CVE-2026-44336Same product: Praison Praisonai
CVE-2026-40116Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-40111Same vendor: Praison
CVE-2026-39889Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.121

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection by validating and sanitizing user-controlled inputs from agent workflows, YAML definitions, and LLM-generated tool calls before shell execution.

prevent

Addresses the specific flaw through timely remediation by applying the patch in PraisonAI version 4.5.121.

prevent

Limits the impact of injected arbitrary shell commands by enforcing least privilege on processes handling execute_command and workflow shell execution.

References