CVE-2026-40288
Arbitrary Code Execution in PraisonAI Workflow via Untrusted YAML
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.139 (exc) |
| praison | praisonaiagents | to 1.5.140 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40288 is a critical remote code execution vulnerability in the PraisonAI system affecting versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents. The issue arises when the workflow engine processes untrusted YAML files with type: job. These YAML files can contain steps that execute shell commands, inline Python code, or arbitrary Python scripts without any validation or sandboxing.
Specifically, the JobWorkflowExecutor processes commands via subprocess.run() for shell commands, exec() for inline Python, and arbitrary Python script execution, all without sanitizing the input. This allows an attacker who can supply or influence a workflow YAML file to execute arbitrary commands or code on the host system.
The affected code paths include functions in workflow.py and job_workflow.py that handle these executions. This vulnerability can be exploited remotely or locally, especially in environments like CI pipelines or shared repositories.
How can this vulnerability impact me? :
This vulnerability allows an attacker to achieve full arbitrary command execution on the host system by supplying or influencing a malicious workflow YAML file.
The impact includes complete compromise of the affected machine, including access to any data or credentials available on that system.
Because the attack vector is network-based with no privileges or user interaction required, it poses a severe risk in multi-tenant, CI pipeline, or shared deployment environments.
The CVSS v3.1 base score of 9.8 reflects the critical severity, indicating high impact on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence and execution of untrusted YAML workflow files with the type: job that include steps using run:, script:, or python: commands. A practical detection method is to attempt running a proof-of-concept YAML file that executes a harmless command to verify if arbitrary code execution is possible.
For example, create a YAML file named exploit.yaml with the following content:
- type: job
- name: exploit
- steps:
- - name: write-file
- run: python -c "open('pwned.txt','w').write('owned')"
Then run the command: praisonai workflow run exploit.yaml
If a file named pwned.txt is created in the working directory, it indicates the system is vulnerable to arbitrary code execution via untrusted YAML files.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI and praisonaiagents to the fixed versions: 4.5.139 or later for PraisonAI, and 1.5.140 or later for praisonaiagents.
Additionally, avoid running untrusted or unauthenticated YAML workflow files, especially those specifying type: job, in your environment.
Implement strict access controls and validation on workflow files used in CI pipelines, shared repositories, or multi-tenant deployments to prevent attackers from supplying malicious YAML files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows arbitrary command and code execution on the host system by an attacker who can supply or influence a workflow YAML file. This can lead to full system compromise, including unauthorized access to any accessible data or credentials.
Such a compromise can result in breaches of confidentiality, integrity, and availability of sensitive data, which are core concerns of compliance standards like GDPR and HIPAA.
Therefore, if exploited, this vulnerability could cause non-compliance with regulations that require protection of personal data and secure system operations, potentially leading to legal and financial consequences.