CVE-2026-40088
Published: 09 April 2026
Summary
CVE-2026-40088 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40088 is a command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.121. The execute_command function and workflow shell execution components are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls. This exposure allows attackers to inject arbitrary shell commands through shell metacharacters.
Unauthenticated remote attackers can exploit the vulnerability over the network with low complexity and no privileges required, though user interaction is needed. By crafting malicious inputs such as workflows or tool calls, attackers can trick users into triggering execution, achieving arbitrary shell command injection on the host system. This results in high impacts to confidentiality, integrity, and availability, with a changed scope, yielding a CVSS v3.1 base score of 9.6.
The vulnerability is addressed in PraisonAI version 4.5.121. The GitHub security advisory (GHSA-2763-cj5r-c79m) and release notes for v4.5.121 detail the fix and recommend upgrading immediately.
This vulnerability has relevance to AI/ML deployments, as it involves LLM-generated tool calls in a multi-agent framework. No public information on real-world exploitation is available.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21064
Vulnerability details
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.…
more
This vulnerability is fixed in 4.5.121.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in exposed shell execution components of a network-accessible application directly enables remote exploitation of public-facing apps (T1190) and arbitrary Unix shell command execution (T1059.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection by validating and sanitizing user-controlled inputs from agent workflows, YAML definitions, and LLM-generated tool calls before shell execution.
Addresses the specific flaw through timely remediation by applying the patch in PraisonAI version 4.5.121.
Limits the impact of injected arbitrary shell commands by enforcing least privilege on processes handling execute_command and workflow shell execution.