CVE-2026-40111
Received Received - Intake
Command Injection in PraisonAIAgents Memory Hooks Enables Persistent RCE

Publication date: 2026-04-09

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40111
EUVD
EUVD-2026-21152
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonaiagents to 1.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in PraisonAIAgents, a multi-agent teams system, in versions prior to 1.5.128. The memory hooks executor passes a user-controlled command string directly to subprocess.run() with shell=True without any sanitization. This means shell metacharacters are interpreted by /bin/sh before the command executes.

There are two attack surfaces: one via pre_run_command and post_run_command hook event types configured through hooks, and a more severe one via the .praisonai/hooks.json lifecycle configuration. An attacker who gains file-write access through prompt injection can overwrite this hooks.json file, causing their payload to execute silently at every lifecycle event without further user interaction.

This vulnerability allows arbitrary command execution triggered automatically during agent operation.

Mitigation Strategies

The vulnerability is fixed in PraisonAIAgents version 1.5.128. Immediate mitigation involves upgrading to version 1.5.128 or later.

Additionally, restrict file-write access to the .praisonai/hooks.json lifecycle configuration file to prevent unauthorized modification that could lead to silent execution of malicious payloads.

Impact Analysis

This vulnerability can lead to arbitrary code execution with low privileges but high impact, as malicious commands can be run silently and automatically during agent lifecycle events.

An attacker who exploits this can execute unauthorized commands, potentially leading to data compromise, system manipulation, or further escalation of privileges.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40111. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart