CVE-2026-40313
Credential Leakage via GitHub Actions in PraisonAI
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.140 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40313, known as the ArtiPACKED vulnerability, affects the PraisonAI package in versions 4.5.139 and below. It arises from a misconfiguration in GitHub Actions workflows where the action 'actions/checkout' is used without setting 'persist-credentials: false'. By default, this action writes sensitive tokens like GITHUB_TOKEN and sometimes ACTIONS_RUNTIME_TOKEN into the .git/config file for persistence.
If subsequent workflow steps upload artifacts such as build outputs, logs, or test results, these tokens can be inadvertently included in those artifacts. Since PraisonAI is a public repository, anyone with read access can download these artifacts and extract the leaked tokens.
This leakage enables attackers to use the tokens to push malicious code, poison releases and packages, steal other repository secrets, and execute a full supply chain compromise affecting all downstream users.
The root cause is the inclusion of executable functionality from an untrusted control sphere, where workflows inadvertently expose sensitive credentials. The vulnerability has a high severity with a CVSS v3 base score of 9.1 and was fixed in version 4.5.140 by setting 'persist-credentials: false' in the checkout action.
How can this vulnerability impact me? :
This vulnerability can have critical impacts including unauthorized access and control over the affected repository.
- Attackers can push malicious code directly to the main branch or create malicious pull requests.
- Releases, PyPI packages, and Docker images can be poisoned, enabling supply chain attacks that affect all downstream users.
- Attackers can steal other repository secrets such as tokens for OpenAI, Anthropic, Gemini, Groq, Claude, and personal access tokens.
- The entire PraisonAI project and all users who install the package or use its Docker images can be compromised.
- Privilege escalation is possible depending on the permissions of the leaked tokens.
Overall, this vulnerability enables a full supply chain compromise with high confidentiality and integrity impacts, potentially leading to remote code execution and compromised developer environments.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting GitHub Actions workflows for the usage of the actions/checkout step without the parameter persist-credentials: false. Specifically, check if the workflows upload artifacts that may contain the .git/config file where tokens are persisted.
You can look for workflows that use actions/checkout@v4 (or similar) without persist-credentials: false and check if artifacts are uploaded afterward. Additionally, scanning artifacts for leaked tokens such as GITHUB_TOKEN (prefix ghs_) or ACTIONS_RUNTIME_TOKEN can help detect exposure.
Suggested commands include:
- Review workflow YAML files in the repository under .github/workflows/ and .github/actions/ for actions/checkout steps missing persist-credentials: false.
- Use GitHub CLI or API to list recent workflow runs and download artifacts to inspect them for presence of .git/config files or tokens.
- Search artifacts for token patterns, e.g., using grep or similar tools to find strings starting with 'ghs_' or JWT tokens.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update all GitHub Actions workflows that use actions/checkout to include the parameter persist-credentials: false. This prevents the GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN from being persisted in the .git/config file and thus prevents token leakage.
Additionally, upgrading PraisonAI to version 4.5.140 or later, where this issue is fixed, is recommended.
Other recommended steps include:
- Audit and remove any artifacts that may contain leaked tokens.
- Avoid uploading entire checkout directories as artifacts, especially those containing the .git folder.
- Consider setting fetch-depth: 1 in actions/checkout to improve speed and reduce unnecessary data.
- Review and rotate any potentially leaked tokens or secrets.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-40313 vulnerability leads to credential leakage that can result in unauthorized access to repository secrets and the ability to push malicious code or poison supply chains. This type of security breach can compromise the confidentiality and integrity of data and systems.
Such unauthorized access and data exposure could potentially violate compliance requirements under common standards and regulations like GDPR and HIPAA, which mandate strict controls over sensitive data and access management to prevent data breaches and ensure data integrity.
Specifically, the leakage of tokens and secrets could lead to unauthorized data processing or exposure, which may be considered a breach under GDPR, requiring notification and remediation. Similarly, HIPAA requires safeguarding electronic protected health information (ePHI), and a supply chain compromise could threaten such safeguards.
Therefore, organizations using affected versions of PraisonAI without mitigation may face compliance risks due to the potential for unauthorized access and data compromise stemming from this vulnerability.