Executive Summary

CVE-2026-40288 is a critical remote code execution vulnerability in the PraisonAI system affecting versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents. The issue arises when the workflow engine processes untrusted YAML files with type: job. These YAML files can contain steps that execute shell commands, inline Python code, or arbitrary Python scripts without any validation or sandboxing.

Specifically, the JobWorkflowExecutor processes commands via subprocess.run() for shell commands, exec() for inline Python, and arbitrary Python script execution, all without sanitizing the input. This allows an attacker who can supply or influence a workflow YAML file to execute arbitrary commands or code on the host system.

The affected code paths include functions in workflow.py and job_workflow.py that handle these executions. This vulnerability can be exploited remotely or locally, especially in environments like CI pipelines or shared repositories.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to achieve full arbitrary command execution on the host system by supplying or influencing a malicious workflow YAML file.

The impact includes complete compromise of the affected machine, including access to any data or credentials available on that system.

Because the attack vector is network-based with no privileges or user interaction required, it poses a severe risk in multi-tenant, CI pipeline, or shared deployment environments.

The CVSS v3.1 base score of 9.8 reflects the critical severity, indicating high impact on confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for the presence and execution of untrusted YAML workflow files with the type: job that include steps using run:, script:, or python: commands. A practical detection method is to attempt running a proof-of-concept YAML file that executes a harmless command to verify if arbitrary code execution is possible.

For example, create a YAML file named exploit.yaml with the following content:

• type: job
• name: exploit
• steps:
• - name: write-file
• run: python -c "open('pwned.txt','w').write('owned')"

Then run the command: praisonai workflow run exploit.yaml

If a file named pwned.txt is created in the working directory, it indicates the system is vulnerable to arbitrary code execution via untrusted YAML files.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI and praisonaiagents to the fixed versions: 4.5.139 or later for PraisonAI, and 1.5.140 or later for praisonaiagents.

Additionally, avoid running untrusted or unauthenticated YAML workflow files, especially those specifying type: job, in your environment.

Implement strict access controls and validation on workflow files used in CI pipelines, shared repositories, or multi-tenant deployments to prevent attackers from supplying malicious YAML files.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows arbitrary command and code execution on the host system by an attacker who can supply or influence a workflow YAML file. This can lead to full system compromise, including unauthorized access to any accessible data or credentials.

Such a compromise can result in breaches of confidentiality, integrity, and availability of sensitive data, which are core concerns of compliance standards like GDPR and HIPAA.

Therefore, if exploited, this vulnerability could cause non-compliance with regulations that require protection of personal data and secure system operations, potentially leading to legal and financial consequences.

Useful 0 Not Useful 0