{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40313", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T21:41:54.505Z", "datePublished": "2026-04-14T03:10:23.697Z", "dateUpdated": "2026-04-14T16:27:49.836Z"}, "containers": {"cna": {"title": "PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence", "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "lang": "en", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2"}, {"name": "https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html", "tags": ["x_refsource_MISC"], "url": "https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html"}, {"name": "https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens", "tags": ["x_refsource_MISC"], "url": "https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.140", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T03:12:04.840Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140."}], "source": {"advisory": "GHSA-3959-6v5q-45q2", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T15:38:40.800881Z", "id": "CVE-2026-40313", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T16:27:49.836Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40313", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T15:38:40.800881Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T15:38:49.968Z"}}], "cna": {"title": "PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence", "source": {"advisory": "GHSA-3959-6v5q-45q2", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.140"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html", "name": "https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html", "tags": ["x_refsource_MISC"]}, {"url": "https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens", "name": "https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829: Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T03:12:04.840Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40313", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:27:49.836Z", "dateReserved": "2026-04-10T21:41:54.505Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T03:10:23.697Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD852D9F-8355-4F4D-BCD7-6897A46FF1E9", "versionEndExcluding": "4.5.140", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140."}], "id": "CVE-2026-40313", "lastModified": "2026-04-20T17:39:52.010", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T04:17:13.890", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2"}, {"source": "security-advisories@github.com", "tags": ["Press/Media Coverage"], "url": "https://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html"}, {"source": "security-advisories@github.com", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.140)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-14T05:21:38.898494+00:00", "value": {"mitigation_remediation": ["Update PraisonAI to version 4.5.140 or newer, where the flaw is fixed.", "Verify that all workflow files no longer rely on actions/checkout with the default persist\u2011credentials setting; explicitly set persist\u2011credentials: false if the action is still used.", "Scan any existing artifacts for residual GITHUB_TOKEN or ACTIONS_RUNTIME_TOKEN values and remove or exclude those artifacts from public distribution.", "If an immediate upgrade is not possible, modify the actions/checkout usage to explicitly set persist\u2011credentials: false to prevent the persistence of credentials."], "summary": {"action": "Immediate Patch", "impact": "Credentials leaked via artifact upload exposing supply chain risk"}, "threat_synthesis": {"affected_systems": "MervinPraison's PraisonAI multi\u2011agent systems up to version 4.5.139 are affected. The vulnerability has been corrected in version 4.5.140. No other vendors or product variants are listed.", "description_and_impact": "The insecure use of the actions/checkout GitHub Action in PraisonAI releases 4.5.139 and earlier results in the GITHUB_TOKEN and, in some cases, the ACTIONS_RUNTIME_TOKEN being written to the .git/config file. When any subsequent workflow step uploads artifacts\u2014such as build logs, test results, or other build outputs\u2014the credentials may be embedded in those files. An attacker who can read the repository obtains these artifacts and extracts the leaked tokens. With these tokens, the attacker can push malicious code, poison releases on PyPI or Docker, and potentially compromise downstream users. This behavior demonstrates an improper restriction of remote access (CWE\u2011829).", "risk_and_exploitability": "The flaw carries a CVSS score of 9.1, indicating a high severity. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog. Because the repository is public and artifacts are publicly downloadable, the likely attack vector is through any user with read access pulling artifacts that contain the leaked credentials. The vulnerability is tractable and could be exploited unimpeded as long as the unrepaired workflow remains in place, resulting in unauthorized code injection or supply\u2011chain compromise."}}}}, "created": "2026-04-14T16:15:56.937936+00:00", "updated": "2026-04-14T16:30:53.528030+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}