CVE-2026-40088
Command Injection in PraisonAI execute_command Allows Arbitrary Shell Execution
Publication date: 2026-04-09
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.121 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject arbitrary shell commands, leading to unauthorized reading and exfiltration of sensitive data, modification or deletion of system files, and potential full system compromise.
Such unauthorized access and data exfiltration can result in violations of data protection regulations like GDPR and HIPAA, which mandate strict controls over the confidentiality and integrity of personal and sensitive information.
Therefore, exploitation of this vulnerability could lead to non-compliance with these standards due to potential data breaches and failure to protect sensitive data.
Can you explain this vulnerability to me?
CVE-2026-40088 is a critical OS Command Injection vulnerability in PraisonAI versions prior to 4.5.121. It occurs because the execute_command function and workflow shell execution mechanisms improperly handle user-controlled inputs by passing them directly to subprocess.run() with shell=True without sanitization.
This allows attackers to inject arbitrary shell commands using special shell metacharacters such as ;, |, &&, and $(), leading to execution of unintended commands.
The vulnerability arises from multiple input sources including YAML workflow step definitions, agent configuration files (agents.yaml), recipe step configurations, and LLM-generated tool call parameters.
Attackers can exploit this to execute malicious commands, such as exfiltrating sensitive files or stealing private keys.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized execution of arbitrary shell commands with the privileges of the user running PraisonAI.
- Unauthorized reading and exfiltration of sensitive data (e.g., system files, private SSH keys).
- Modification or deletion of system files, potentially disrupting system operations.
- Arbitrary command execution that can lead to full system compromise, especially in automated environments like CI/CD pipelines or agent workflows.
- Attack scenarios include malicious pull requests injecting commands in shared repositories, poisoned agent marketplaces distributing backdoored agents, and remote code execution via LLM prompt injection.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting PraisonAI configurations and workflows for the presence of unsanitized shell commands that include dangerous shell metacharacters such as ;, |, &, $, and $().
Specifically, you should check YAML workflow step definitions, agent configuration files (agents.yaml), recipe YAML files, and any LLM-generated tool call parameters for suspicious shell command injections.
Suggested commands to detect potential exploitation or presence of malicious commands include searching for suspicious shell metacharacters in relevant files:
- grep -rE '[;|&$()]' path/to/praisonai/configs/
- grep -r 'shell_command' path/to/praisonai/agents.yaml
- Audit logs for executed commands if logging is enabled, looking for unexpected or unauthorized shell commands.
Additionally, monitor network traffic for unusual outbound connections that could indicate exfiltration attempts triggered by malicious shell commands.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading PraisonAI to version 4.5.121 or later, where this vulnerability is fixed.
If upgrading is not immediately possible, apply the following mitigations:
- Disable shell=True usage in execute_command and workflow shell executions; use shell=False unless explicitly required.
- Validate and sanitize all user-controlled inputs to reject commands containing dangerous shell metacharacters (;, |, &, $, etc.).
- Use safe command execution methods by passing commands as argument lists instead of raw shell strings.
- Implement allowlists to permit only trusted commands and require explicit opt-in for shell execution.
- Enable logging of all executed commands for monitoring and auditing purposes.