{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40088", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T00:39:12.206Z", "datePublished": "2026-04-09T19:45:13.203Z", "dateUpdated": "2026-04-09T20:14:56.938Z"}, "containers": {"cna": {"title": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.7, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2763-cj5r-c79m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2763-cj5r-c79m"}, {"name": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.121", "tags": ["x_refsource_MISC"], "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.121"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.121", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T19:45:13.203Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121."}], "source": {"advisory": "GHSA-2763-cj5r-c79m", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T20:14:27.344510Z", "id": "CVE-2026-40088", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T20:14:56.938Z"}}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "80F7B2D9-522C-4112-BE9F-DA0C4D9FE908", "versionEndExcluding": "4.5.121", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121."}], "id": "CVE-2026-40088", "lastModified": "2026-04-16T20:40:45.067", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.6, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-09T20:16:27.597", "references": [{"source": "security-advisories@github.com", "tags": ["Release Notes"], "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.121"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2763-cj5r-c79m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.121)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T21:21:51.633510+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAI to version 4.5.121 or later"], "summary": {"action": "Immediate Patch", "impact": "Remote Command Execution via OS Command Injection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects MervinPraison PraisonAI installations running any version prior to 4.5.121. Users who can define or modify agent workflows, upload YAML definitions, or trigger LLM-generated tool calls are at risk.", "description_and_impact": "PraisonAI exposes an execute_command function and shell execution within workflows to user-controlled input. Attackers can inject shell metacharacters through agent workflows, YAML definitions, or LLM-generated tool calls, allowing arbitrary shell commands to run. This elevates the vulnerability to full remote code execution, compromising confidentiality, integrity, and availability of affected systems.", "risk_and_exploitability": "With a CVSS score of 9.7 the flaw is considered critical. While EPSS data is not available, the combination of high severity and the ability to inject commands directly from user-controlled inputs suggests a high likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but the remote attack vector and explicit command execution capabilities warrant immediate attention. Exploitation requires only the ability to supply or alter workflow definitions, which many users may have if role-based controls are not enforced."}}}}, "created": "2026-04-10T08:38:43.925464+00:00", "updated": "2026-04-10T09:29:27.231618+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}