PraisonAI and PraisonAI Agents: Unrestricted Code Execution Threat

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.8

PraisonAI and PraisonAI Agents: Unrestricted Code Execution Threat

CVE-2026-40288

Summary

Versions of PraisonAI and PraisonAI Agents below 4.5.139 and 1.5.140 are at risk of a serious security threat. An attacker can execute arbitrary commands on the system by manipulating specific YAML files used in the workflow. This could lead to a complete takeover of the system and access to sensitive data. Update to PraisonAI 4.5.139 and PraisonAI Agents 1.5.140 to fix the issue.

Original title

Original description

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.

nvd CVSS3.1 9.8

Vulnerability type

CWE-78 OS Command Injection

CWE-94 Code Injection

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3w...

Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026