CVE-2026-40288
Published: 14 April 2026
Summary
CVE-2026-40288 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of untrusted YAML inputs to block malicious run, script, and python steps that enable arbitrary command and code execution.
Provides sandboxing or process isolation for the JobWorkflowExecutor to contain execution of untrusted shell commands and Python code from YAML files.
Mandates timely flaw remediation through upgrades to fixed PraisonAI versions 4.5.139 and praisonaiagents 1.5.140 to eliminate the vulnerability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote arbitrary command execution via untrusted YAML (shell via subprocess.run and Python via exec/script), directly mapping to exploitation of public-facing applications (T1190) and command/scripting interpreters (T1059.004 Unix Shell, T1059.006 Python).
NVD Description
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file…
more
with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Deeper analysisAI
CVE-2026-40288 is a critical vulnerability in the workflow engine of PraisonAI, a multi-agent teams system, affecting versions below 4.5.139, as well as the praisonaiagents package in versions below 1.5.140. The flaw enables arbitrary command and code execution through untrusted YAML files processed by the JobWorkflowExecutor in job_workflow.py. Specifically, when a YAML file with type: job is loaded via the praisonai workflow run command, steps supporting run (shell commands executed via subprocess.run()), script (inline Python via exec()), and python (arbitrary Python scripts) are processed without validation, sandboxing, or user confirmation. Affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py.
An attacker who can supply or influence a workflow YAML file—such as in CI pipelines, shared repositories, or multi-tenant deployment environments—can exploit this to achieve full arbitrary command execution on the host system. This compromises the machine, accessible data, and credentials, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), linked to CWE-78 (OS Command Injection) and CWE-94 (Code Injection).
The GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm confirms the issue has been addressed in PraisonAI version 4.5.139 and praisonaiagents version 1.5.140, recommending immediate upgrades to mitigate the risk.
Details
- CWE(s)