CVE-2026-40159
Environment Variable Exposure via MCP Subprocess Execution in PraisonAI
Publication date: 2026-04-10
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.128 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-214 | A process is invoked with sensitive command-line arguments, environment variables, or other elements that can be seen by other processes on the operating system. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized exposure of sensitive environment variables such as API keys, authentication tokens, and database credentials to untrusted subprocesses. Such exposure can lead to unauthorized access to external services and infrastructure compromise without user awareness.
The unintended credential exposure and potential silent exfiltration of secrets pose risks to compliance with standards and regulations that mandate protection of sensitive data, such as GDPR and HIPAA. Failure to safeguard such sensitive information could result in violations of data protection requirements, leading to legal and regulatory consequences.
Mitigation involves sanitizing environment variables passed to subprocesses and implementing strict allowlists, which helps reduce the risk of non-compliance by preventing unauthorized disclosure of sensitive information.
Can you explain this vulnerability to me?
CVE-2026-40159 is a moderate severity vulnerability in PraisonAI's MCP (Model Context Protocol) integration prior to version 4.5.128. The MCP feature allows spawning background subprocesses using user-supplied command strings executed via Python's subprocess module. By default, these subprocesses inherit the entire environment of the parent process, including sensitive environment variables such as API keys, authentication tokens, and database credentials.
This means that when untrusted or third-party commands are executed, for example via package runners like 'npx -y', malicious or compromised subprocesses can access and silently exfiltrate these sensitive environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks.
The vulnerability was fixed in version 4.5.128 by sanitizing the environment variables passed to subprocesses and implementing strict allowlists to prevent sensitive data exposure.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive credentials such as API keys, authentication tokens, and database credentials by malicious subprocesses spawned through the MCP integration.
As a result, attackers can silently exfiltrate secrets, potentially compromising external services and infrastructure without the user's awareness.
This can enable supply chain attacks where compromised or malicious third-party packages execute arbitrary code with access to sensitive environment variables, increasing the risk of data breaches and system compromise.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if MCP subprocesses spawned by PraisonAI inherit sensitive environment variables from the parent process. A proof-of-concept involves exporting a secret environment variable and running an MCP subprocess that prints or sends all inherited environment variables, confirming exposure.
For detection, you can run commands that spawn MCP subprocesses and inspect their environment variables for sensitive data such as API keys or tokens.
- Export a test secret key, e.g., `export SUPER_SECRET_KEY=testing123`
- Run an MCP subprocess command that prints environment variables, for example using `npx -y @smithery/cli env` or a similar command that outputs environment variables.
- Check the output for the presence of sensitive environment variables like `SUPER_SECRET_KEY` or other API keys.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves sanitizing the environment variables passed to MCP subprocesses to prevent sensitive data exposure.
Specifically, remove or unset sensitive environment variables such as API keys, authentication tokens, and database credentials before spawning subprocesses.
- Implement strict allowlists for environment variables passed to MCP subprocesses, explicitly excluding sensitive keys like `OPENAI_API_KEY` and variables matching patterns like `*_API_KEY` or `*_TOKEN`.
- Avoid using commands like `npx -y` to invoke MCP tools with untrusted or third-party packages.
- Upgrade PraisonAI to version 4.5.128 or later, where this vulnerability is fixed.