CVE-2026-40088

PraisonAI · PraisonAI

PraisonAI is vulnerable to command injection via the execute_command function and workflow shell execution, allowing attackers to execute arbitrary commands through crafted YAML or LLM inputs.

Executive summary

A critical command injection vulnerability in PraisonAI allows attackers to execute arbitrary shell commands, potentially leading to full system compromise.

Vulnerability

This vulnerability involves improper neutralization of special elements used in an OS command. Attackers can inject arbitrary shell metacharacters through agent workflows, YAML definitions, or LLM-generated tool calls, which the application then executes with system-level privileges.

Business impact

Successful exploitation of this vulnerability allows an attacker to achieve remote code execution on the underlying host. Given the CVSS score of 9.6, this represents a critical risk that could lead to complete data exfiltration, lateral movement within the network, and full loss of system integrity.

Remediation

Immediate Action: Upgrade the PraisonAI system to version 4.5.121 or later immediately to resolve the command injection flaw.

Proactive Monitoring: Review system logs for unusual shell process spawns or unexpected command execution patterns originating from agent workflows.

Compensating Controls: Implement strict input validation for all YAML definitions and restrict agent workflow permissions to the least privilege necessary to prevent unauthorized shell access.

Exploitation status

Public Exploit Available: No

Analyst recommendation

The severity of this vulnerability necessitates immediate patching. Organizations utilizing PraisonAI must prioritize updating to version 4.5.121 to mitigate the risk of arbitrary code execution and potential total system compromise.