CVE-2026-40111
Published: 09 April 2026
Summary
CVE-2026-40111 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonaiagents. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-40111 is an OS command injection vulnerability (CWE-78) in PraisonAIAgents, a multi-agent teams system within the PraisonAI project. Prior to version 1.5.128, the memory hooks executor in the praisonaiagents component, located at src/praisonai-agents/praisonaiagents/memory/hooks.py, passes a user-controlled command string directly to subprocess.run() with shell=True. No sanitization occurs, allowing shell metacharacters to be interpreted by /bin/sh before the intended command executes.
The vulnerability exposes two attack surfaces. The first involves pre_run_command and post_run_command hook event types registered through the hooks configuration. The second, more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks for events like BEFORE_TOOL and AFTER_TOOL execute automatically during agent operation. Remote attackers (AV:N, AC:L, PR:N) can exploit this with user interaction (UI:R), achieving high confidentiality, integrity, and availability impacts (CVSS 8.8). An agent with file-write access via prompt injection can overwrite .praisonai/hooks.json, enabling silent payload execution on every subsequent lifecycle event without further interaction.
The GitHub security advisory (GHSA-v7px-3835-7gjx) confirms the issue is fixed in PraisonAIAgents version 1.5.128. Security practitioners should upgrade to this version or later and review hook configurations for user-controlled inputs.
This vulnerability has particular relevance to AI/ML deployments, as it affects a multi-agent system exploitable through prompt injection for persistent command execution during agent lifecycles. No public evidence of real-world exploitation is available as of the CVE publication on 2026-04-09.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21152
Vulnerability details
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the…
more
intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via unsanitized user input to subprocess.run(shell=True) with /bin/sh directly enables remote code execution on a network-accessible application (T1190) using Unix shell commands (T1059.004). The hooks.json lifecycle mechanism further facilitates persistent execution on agent events.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates OS command injection by requiring validation of user-controlled command strings passed to subprocess.run() with shell=True, preventing shell metacharacter interpretation.
Remediates the specific flaw in the memory hooks executor by applying the vendor fix in version 1.5.128 that addresses unsanitized inputs.
Detects unauthorized modifications to .praisonai/hooks.json via integrity verification, addressing the persistent attack surface from file overwrites through prompt injection.