CVE-2026-40111

CVE-2026-40111 is an OS command injection vulnerability (CWE-78) in PraisonAIAgents, a multi-agent teams system within the PraisonAI project. Prior to version 1.5.128, the memory hooks executor in the praisonaiagents component, located at src/praisonai-agents/praisonaiagents/memory/hooks.py, passes a user-controlled command string directly to subprocess.run() with shell=True. No sanitization occurs, allowing shell metacharacters to be interpreted by /bin/sh before the intended command executes.

The vulnerability exposes two attack surfaces. The first involves pre_run_command and post_run_command hook event types registered through the hooks configuration. The second, more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks for events like BEFORE_TOOL and AFTER_TOOL execute automatically during agent operation. Remote attackers (AV:N, AC:L, PR:N) can exploit this with user interaction (UI:R), achieving high confidentiality, integrity, and availability impacts (CVSS 8.8). An agent with file-write access via prompt injection can overwrite .praisonai/hooks.json, enabling silent payload execution on every subsequent lifecycle event without further interaction.

The GitHub security advisory (GHSA-v7px-3835-7gjx) confirms the issue is fixed in PraisonAIAgents version 1.5.128. Security practitioners should upgrade to this version or later and review hook configurations for user-controlled inputs.

This vulnerability has particular relevance to AI/ML deployments, as it affects a multi-agent system exploitable through prompt injection for persistent command execution during agent lifecycles. No public evidence of real-world exploitation is available as of the CVE publication on 2026-04-09.