Scan free
CRITICALCVE-2026-40088CVSS 9.6

CVE-2026-40088: Command Injection in PraisonAI

Platform

python

Component

praisonai

Fixed in

4.5.122

4.5.121

AI Confidence: highNVDEPSS 0.1%Reviewed: May 2026
View on NVD
Save

CVE-2026-40088 is a critical Command Injection vulnerability affecting PraisonAI versions up to 4.5.98. This vulnerability allows attackers to execute arbitrary shell commands by injecting malicious input into workflow definitions, agent configurations, and LLM-generated tool calls. The vulnerability stems from the insecure use of subprocess.run() with shell=True. A patch is available in version 4.5.121.

Python

Detect this CVE in your project

Upload your requirements.txt file and we'll tell you instantly if you're affected.

Upload requirements.txtSupported formats: requirements.txt · Pipfile.lock

Impact and Attack Scenarios

The impact of CVE-2026-40088 is severe, enabling an attacker to gain complete control over the system running PraisonAI. Successful exploitation allows for arbitrary code execution with the privileges of the PraisonAI process. This could lead to data exfiltration, system compromise, and potentially lateral movement within the network. The vulnerability's exposure through multiple input vectors (YAML, agent configs, LLM calls) increases the attack surface and potential for exploitation. The use of shell=True directly exposes the system to command injection, similar to vulnerabilities seen in other applications that mishandle user input in shell commands.

Exploitation Context

CVE-2026-40088 was publicly disclosed on 2026-04-08. The vulnerability's severity and ease of exploitation suggest a medium to high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. It is not currently listed on CISA KEV.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.06% (17% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H9.6CRITICALAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentpraisonai
Vendorosv
Affected rangeFixed in
< 4.5.121 – < 4.5.1214.5.122
4.5.121

Weakness Classification (CWE)

CWE-78

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated
Patched 1 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2026-40088 is to upgrade PraisonAI to version 4.5.121 or later. If upgrading immediately is not possible, consider implementing temporary workarounds. Strict input validation and sanitization of all user-controlled data within workflow definitions, agent configurations, and LLM-generated tool calls is crucial. Disable or restrict the use of LLM-generated tool calls if possible. Consider using a Web Application Firewall (WAF) with command injection rules to filter malicious input. Monitor system logs for suspicious shell activity and unusual process executions.

How to fix

Update PraisonAI to version 4.5.121 or higher to mitigate the command injection vulnerability. This update corrects how user-controlled input is handled in the `execute_command` functions and workflow shell execution, preventing arbitrary command injection.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-40088 — Command Injection in PraisonAI?

CVE-2026-40088 is a critical vulnerability in PraisonAI allowing attackers to inject shell commands via YAML, agent configs, and LLM calls, potentially leading to system compromise.

Am I affected by CVE-2026-40088 in PraisonAI?

You are affected if you are using PraisonAI versions 4.5.98 or earlier. Upgrade to 4.5.121 or later to mitigate the risk.

How do I fix CVE-2026-40088 in PraisonAI?

Upgrade PraisonAI to version 4.5.121 or later. As a temporary workaround, implement strict input validation and sanitization of user-controlled data.

Is CVE-2026-40088 being actively exploited?

While no public exploits are currently known, the vulnerability's severity and ease of exploitation suggest a potential for active exploitation.

Where can I find the official PraisonAI advisory for CVE-2026-40088?

Refer to the PraisonAI security advisory for detailed information and updates regarding CVE-2026-40088.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs