CVE-2026-40313
Published: 14 April 2026
Summary
CVE-2026-40313 is a critical-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability in Praison Praisonai. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 13.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and CM-3 (Configuration Change Control).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces secure configuration settings in GitHub Actions workflows, such as persist-credentials: false in actions/checkout, directly preventing GITHUB_TOKEN persistence and leakage into public artifacts.
Implements change control for workflow files to review and approve configurations, preventing the introduction or retention of insecure actions/checkout usages.
Requires developers to perform configuration management on system components including CI/CD workflows, ensuring controlled changes and restricted access to prevent credential leakage in public repositories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability directly causes GITHUB_TOKEN leakage in artifacts via actions/checkout misconfiguration, enabling T1528 (steal application access token), subsequent use via T1550.001 (application access token), and T1195.002 (compromise software supply chain) through malicious code injection and package poisoning.
NVD Description
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and…
more
sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
Deeper analysisAI
CVE-2026-40313 affects PraisonAI, a multi-agent teams system, in versions 4.5.139 and below. The vulnerability resides in the project's GitHub Actions workflows, which are susceptible to the ArtiPACKED attack—a credential leakage issue stemming from the use of actions/checkout without the persist-credentials: false setting. This causes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) to be written into the .git/config file for persistence. Subsequent workflow steps that upload artifacts, such as build outputs, logs, or test results, can inadvertently include these tokens. The flaw impacts numerous workflow and action files in .github/workflows/ and .github/actions/, earning a CVSS score of 9.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and mapping to CWE-829.
Any user with read access to the public PraisonAI repository can exploit this by downloading the artifacts and extracting the leaked tokens. Successful exploitation allows attackers to push malicious code, poison releases and associated PyPI or Docker packages, steal repository secrets, and perform a full supply chain compromise, impacting all downstream users of the software.
The issue has been fixed in PraisonAI version 4.5.140. Official advisories, including the GitHub security advisory at GHSA-3959-6v5q-45q2, along with analyses from The Hacker News and Unit 42, recommend setting persist-credentials: false in actions/checkout usages and reviewing artifact uploads to prevent token leakage in GitHub Actions workflows.
PraisonAI's role as a multi-agent AI system underscores the supply chain risks to AI/ML projects hosted on public repositories. No specific real-world exploitation of this CVE is detailed in the provided information.
Details
- CWE(s)