CVE-2026-40153
Published: 09 April 2026
Summary
CVE-2026-40153 is a high-severity Cleartext Storage of Sensitive Information in an Environment Variable (CWE-526) vulnerability in Praison Praisonaiagents. Its CVSS base score is 7.4 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediates the specific flaw in os.path.expandvars() usage during command execution, as fixed in version 1.5.128, preventing environment variable expansion and secret exfiltration.
Validates command arguments to detect and neutralize environment variable references like $VAR, directly preventing their expansion and subsequent secret exfiltration.
Generates audit records capturing the actual expanded command arguments executed, enabling detection of discrepancies between reviewer-approved unexpanded commands and executed versions.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability directly enables exfiltration of credentials and secrets stored in environment variables via expandvars() in command execution, mapping to T1552 Unsecured Credentials.
NVD Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of…
more
secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
Deeper analysisAI
CVE-2026-40153 affects PraisonAIAgents, a multi-agent teams system, in versions prior to 1.5.128. The vulnerability resides in the execute_command function within shell_tools.py, where os.path.expandvars() is called on every command argument at line 64. This manually re-implements shell-level environment variable expansion despite the use of shell=False at line 88, which is intended for security. As a result, secrets stored in environment variables, such as database credentials, API keys, and cloud access keys, can be exfiltrated. The issue is rated at CVSS 7.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N) and maps to CWE-526 (Exposure of Sensitive Information Through Environmental Variables).
An attacker can exploit this vulnerability over the network with low complexity and no privileges required, but it necessitates user interaction in the form of a human reviewer approving a malicious command. In a typical scenario, an attacker crafts a command embedding references to environment variables like $VAR, which appears benign and unexpanded in the approval interface. Upon approval and execution, the variables expand, enabling the command to exfiltrate sensitive data without altering integrity or availability.
The GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8 details the fix implemented in version 1.5.128, recommending immediate upgrades to mitigate the risk of secret exfiltration in multi-agent environments.
Details
- CWE(s)