CVE-2026-40159
Received Received - Intake
Environment Variable Exposure via MCP Subprocess Execution in PraisonAI

Publication date: 2026-04-10

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40159
EUVD
EUVD-2026-21511
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai to 4.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-214 A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40159 is a moderate severity vulnerability in PraisonAI's MCP (Model Context Protocol) integration prior to version 4.5.128. The MCP feature allows spawning background subprocesses using user-supplied command strings executed via Python's subprocess module. By default, these subprocesses inherit the entire environment of the parent process, including sensitive environment variables such as API keys, authentication tokens, and database credentials.

This means that when untrusted or third-party commands are executed, for example via package runners like 'npx -y', malicious or compromised subprocesses can access and silently exfiltrate these sensitive environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks.

The vulnerability was fixed in version 4.5.128 by sanitizing the environment variables passed to subprocesses and implementing strict allowlists to prevent sensitive data exposure.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive credentials such as API keys, authentication tokens, and database credentials by malicious subprocesses spawned through the MCP integration.

As a result, attackers can silently exfiltrate secrets, potentially compromising external services and infrastructure without the user's awareness.

This can enable supply chain attacks where compromised or malicious third-party packages execute arbitrary code with access to sensitive environment variables, increasing the risk of data breaches and system compromise.

Detection Guidance

This vulnerability can be detected by checking if MCP subprocesses spawned by PraisonAI inherit sensitive environment variables from the parent process. A proof-of-concept involves exporting a secret environment variable and running an MCP subprocess that prints or sends all inherited environment variables, confirming exposure.

For detection, you can run commands that spawn MCP subprocesses and inspect their environment variables for sensitive data such as API keys or tokens.

  • Export a test secret key, e.g., `export SUPER_SECRET_KEY=testing123`
  • Run an MCP subprocess command that prints environment variables, for example using `npx -y @smithery/cli env` or a similar command that outputs environment variables.
  • Check the output for the presence of sensitive environment variables like `SUPER_SECRET_KEY` or other API keys.
Mitigation Strategies

Immediate mitigation involves sanitizing the environment variables passed to MCP subprocesses to prevent sensitive data exposure.

Specifically, remove or unset sensitive environment variables such as API keys, authentication tokens, and database credentials before spawning subprocesses.

  • Implement strict allowlists for environment variables passed to MCP subprocesses, explicitly excluding sensitive keys like `OPENAI_API_KEY` and variables matching patterns like `*_API_KEY` or `*_TOKEN`.
  • Avoid using commands like `npx -y` to invoke MCP tools with untrusted or third-party packages.
  • Upgrade PraisonAI to version 4.5.128 or later, where this vulnerability is fixed.
Compliance Impact

This vulnerability allows unauthorized exposure of sensitive environment variables such as API keys, authentication tokens, and database credentials to untrusted subprocesses. Such exposure can lead to unauthorized access to external services and infrastructure compromise without user awareness.

The unintended credential exposure and potential silent exfiltration of secrets pose risks to compliance with standards and regulations that mandate protection of sensitive data, such as GDPR and HIPAA. Failure to safeguard such sensitive information could result in violations of data protection requirements, leading to legal and regulatory consequences.

Mitigation involves sanitizing environment variables passed to subprocesses and implementing strict allowlists, which helps reduce the risk of non-compliance by preventing unauthorized disclosure of sensitive information.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40159. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart