CVE-2026-40088
Published: 09 April 2026
Summary
CVE-2026-40088 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Machine Learning Libraries.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents command injection by validating and sanitizing user-controlled inputs from agent workflows, YAML definitions, and LLM-generated tool calls before shell execution.
Addresses the specific flaw through timely remediation by applying the patch in PraisonAI version 4.5.121.
Limits the impact of injected arbitrary shell commands by enforcing least privilege on processes handling execute_command and workflow shell execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in exposed shell execution components of a network-accessible application directly enables remote exploitation of public-facing apps (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters.…
more
This vulnerability is fixed in 4.5.121.
Deeper analysisAI
CVE-2026-40088 is a command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.121. The execute_command function and workflow shell execution components are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls. This exposure allows attackers to inject arbitrary shell commands through shell metacharacters.
Unauthenticated remote attackers can exploit the vulnerability over the network with low complexity and no privileges required, though user interaction is needed. By crafting malicious inputs such as workflows or tool calls, attackers can trick users into triggering execution, achieving arbitrary shell command injection on the host system. This results in high impacts to confidentiality, integrity, and availability, with a changed scope, yielding a CVSS v3.1 base score of 9.6.
The vulnerability is addressed in PraisonAI version 4.5.121. The GitHub security advisory (GHSA-2763-cj5r-c79m) and release notes for v4.5.121 detail the fix and recommend upgrading immediately.
This vulnerability has relevance to AI/ML deployments, as it involves LLM-generated tool calls in a multi-agent framework. No public information on real-world exploitation is available.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Machine Learning Libraries
- Risk Domain
- N/A
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: llm