CVE-2026-40153
Received Received - Intake
Environment Variable Expansion Flaw in PraisonAIAgents Enables Secret Exfiltration

Publication date: 2026-04-09

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-09
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40153
EUVD
EUVD-2026-21176
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonaiagents to 1.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-526 The product uses an environment variable to store unencrypted sensitive information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in PraisonAIAgents, a multi-agent teams system, specifically in versions prior to 1.5.128. The execute_command function in shell_tools.py improperly uses os.path.expandvars() on every command argument, manually re-implementing shell-level environment variable expansion even though the command is executed with shell=False for security reasons. This causes environment variables to be expanded unexpectedly.

Because of this, secrets stored in environment variables such as database credentials, API keys, and cloud access keys can be exfiltrated. Additionally, the approval system shows the unexpanded variable references (like $VAR) to human reviewers, which is deceptive because the command that actually runs has those variables expanded, potentially hiding malicious intent.

This vulnerability was fixed in version 1.5.128.

Compliance Impact

This vulnerability allows exfiltration of secrets stored in environment variables, such as database credentials, API keys, and cloud access keys. Such unauthorized disclosure of sensitive information can lead to violations of data protection and security requirements mandated by common standards and regulations like GDPR and HIPAA.

Specifically, the deceptive approval system that displays unexpanded environment variable references to human reviewers means that sensitive data could be exposed without proper oversight, increasing the risk of non-compliance with confidentiality and data integrity obligations.

Therefore, organizations using vulnerable versions of PraisonAIAgents prior to 1.5.128 may face compliance risks related to the protection of sensitive information under these regulations.

Impact Analysis

This vulnerability can lead to the exfiltration of sensitive secrets stored in environment variables, including database credentials, API keys, and cloud access keys.

Because the approval system displays unexpanded variable references, human reviewers may be deceived into approving commands that execute differently than they appear, potentially allowing unauthorized access or actions.

The impact is significant confidentiality loss (CVSS confidentiality impact is high), but it does not affect integrity or availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade PraisonAIAgents to version 1.5.128 or later, where the issue with execute_command in shell_tools.py has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40153. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart