CVE-2026-40113
Published: 09 April 2026
Summary
CVE-2026-40113 is a high-severity Argument Injection (CWE-88) vulnerability in Praison Praisonai. Its CVSS base score is 8.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Modify Cloud Compute Configurations (T1578.005); ranked at the 8.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of openai_model, openai_key, and openai_base inputs prior to interpolation into the gcloud --set-env-vars argument to block comma-based injection.
Mandates timely identification, reporting, and patching of the argument injection flaw in deploy.py, as fixed in PraisonAI 4.5.128.
Enforces restrictions on inputs to deploy.py such as prohibiting commas or special characters in openai_model, openai_key, and openai_base to prevent parsing as additional KEY=VALUE pairs.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The argument injection vulnerability directly enables modification of environment variables (a cloud compute configuration) in the deployed Google Cloud Run service via the gcloud deploy command.
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses…
more
a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.
Deeper analysisAI
CVE-2026-40113 is an argument injection vulnerability (CWE-88) in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.128. The issue resides in the deploy.py script, which constructs a comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating the openai_model, openai_key, and openai_base values without validating for commas. Since gcloud interprets commas as separators between key-value pairs in --set-env-vars, a comma in any of these values causes the trailing text to be parsed as additional arbitrary KEY=VALUE definitions, enabling injection of unauthorized environment variables into the deployed Cloud Run service. The vulnerability has a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N).
An attacker requires local access to the system running deploy.py, with low privileges (PR:L) and low attack complexity, and no user interaction is needed. By supplying specially crafted values containing commas for openai_model, openai_key, or openai_base—such as during a deployment process—they can inject arbitrary environment variables into the resulting Cloud Run service. This achieves high confidentiality and integrity impacts across a changed scope, potentially allowing control over service behavior, exposure of sensitive data, or modification of runtime configurations.
The GitHub Security Advisory (GHSA-fvxx-ggmx-3cjg) confirms the vulnerability is fixed in PraisonAI version 4.5.128, recommending users upgrade to this or later versions to mitigate the issue.
PraisonAI's integration with OpenAI endpoints highlights relevance to AI/ML deployments on Google Cloud Run, where compromised environment variables could alter model inference or API behaviors. No real-world exploitation has been reported.
Details
- CWE(s)