Cyber Resilience

CVE-2026-40113

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0023 13.7th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40113 is a high-severity Argument Injection (CWE-88) vulnerability in Praison Praisonai. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Modify Cloud Compute Configurations (T1578.005); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-40113 is an argument injection vulnerability (CWE-88) in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.128. The issue resides in the deploy.py script, which constructs a comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating the openai_model, openai_key, and openai_base values without validating for commas. Since gcloud interprets commas as separators between key-value pairs in --set-env-vars, a comma in any of these values causes the trailing text to be parsed as additional arbitrary KEY=VALUE definitions, enabling injection of unauthorized environment variables into the deployed Cloud Run service. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).

An attacker requires local access to the system running deploy.py, with low privileges (PR:L) and low attack complexity, and no user interaction is needed. By supplying specially crafted values containing commas for openai_model, openai_key, or openai_base—such as during a deployment process—they can inject arbitrary environment variables into the resulting Cloud Run service. This achieves high confidentiality and integrity impacts across a changed scope, potentially allowing control over service behavior, exposure of sensitive data, or modification of runtime configurations.

The GitHub Security Advisory (GHSA-fvxx-ggmx-3cjg) confirms the vulnerability is fixed in PraisonAI version 4.5.128, recommending users upgrade to this or later versions to mitigate the issue.

PraisonAI's integration with OpenAI endpoints highlights relevance to AI/ML deployments on Google Cloud Run, where compromised environment variables could alter model inference or API behaviors. No real-world exploitation has been reported.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses…

more

a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1578.005 Modify Cloud Compute Configurations Defense Impairment
Adversaries may modify settings that directly affect the size, locations, and resources available to cloud compute infrastructure in order to evade defenses.
Why these techniques?

The argument injection vulnerability directly enables modification of environment variables (a cloud compute configuration) in the deployed Google Cloud Run service via the gcloud deploy command.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34952Same product: Praison Praisonai
CVE-2026-34955Same product: Praison Praisonai
CVE-2026-39306Same product: Praison Praisonai
CVE-2026-40158Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-44340Same product: Praison Praisonai
CVE-2026-39307Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai
CVE-2026-39305Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.128

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of openai_model, openai_key, and openai_base inputs prior to interpolation into the gcloud --set-env-vars argument to block comma-based injection.

prevent

Mandates timely identification, reporting, and patching of the argument injection flaw in deploy.py, as fixed in PraisonAI 4.5.128.

prevent

Enforces restrictions on inputs to deploy.py such as prohibiting commas or special characters in openai_model, openai_key, and openai_base to prevent parsing as additional KEY=VALUE pairs.

References