Executive Summary

CVE-2026-40088 is a critical OS Command Injection vulnerability in PraisonAI versions prior to 4.5.121. It occurs because the execute_command function and workflow shell execution mechanisms improperly handle user-controlled inputs by passing them directly to subprocess.run() with shell=True without sanitization.

This allows attackers to inject arbitrary shell commands using special shell metacharacters such as ;, |, &&, and $(), leading to execution of unintended commands.

The vulnerability arises from multiple input sources including YAML workflow step definitions, agent configuration files (agents.yaml), recipe step configurations, and LLM-generated tool call parameters.

Attackers can exploit this to execute malicious commands, such as exfiltrating sensitive files or stealing private keys.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized execution of arbitrary shell commands with the privileges of the user running PraisonAI.

• Unauthorized reading and exfiltration of sensitive data (e.g., system files, private SSH keys).
• Modification or deletion of system files, potentially disrupting system operations.
• Arbitrary command execution that can lead to full system compromise, especially in automated environments like CI/CD pipelines or agent workflows.
• Attack scenarios include malicious pull requests injecting commands in shared repositories, poisoned agent marketplaces distributing backdoored agents, and remote code execution via LLM prompt injection.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting PraisonAI configurations and workflows for the presence of unsanitized shell commands that include dangerous shell metacharacters such as ;, |, &, $, and $().

Specifically, you should check YAML workflow step definitions, agent configuration files (agents.yaml), recipe YAML files, and any LLM-generated tool call parameters for suspicious shell command injections.

Suggested commands to detect potential exploitation or presence of malicious commands include searching for suspicious shell metacharacters in relevant files:

• grep -rE '[;|&$()]' path/to/praisonai/configs/
• grep -r 'shell_command' path/to/praisonai/agents.yaml
• Audit logs for executed commands if logging is enabled, looking for unexpected or unauthorized shell commands.

Additionally, monitor network traffic for unusual outbound connections that could indicate exfiltration attempts triggered by malicious shell commands.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading PraisonAI to version 4.5.121 or later, where this vulnerability is fixed.

If upgrading is not immediately possible, apply the following mitigations:

• Disable shell=True usage in execute_command and workflow shell executions; use shell=False unless explicitly required.
• Validate and sanitize all user-controlled inputs to reject commands containing dangerous shell metacharacters (;, |, &, $, etc.).
• Use safe command execution methods by passing commands as argument lists instead of raw shell strings.
• Implement allowlists to permit only trusted commands and require explicit opt-in for shell execution.
• Enable logging of all executed commands for monitoring and auditing purposes.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows attackers to inject arbitrary shell commands, leading to unauthorized reading and exfiltration of sensitive data, modification or deletion of system files, and potential full system compromise.

Such unauthorized access and data exfiltration can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive information.

Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and failure to protect sensitive data.

Useful 0 Not Useful 0