CVE-2026-40088: PraisonAI Command Injection

Overview

A critical command injection vulnerability, CVE-2026-40088, affects PraisonAI, a framework for creating multi-agent AI teams. Versions prior to 4.5.121 expose shell execution functions to user-controlled input, allowing attackers to run arbitrary commands on the host system.

Vulnerability Details

The vulnerability exists because the execute_command function and workflow shell execution mechanisms do not properly sanitize input. Attackers can inject malicious shell commands through several vectors:

• Agent workflows and their YAML configuration definitions.
• Tool calls generated by the system’s own Large Language Models (LLMs). By inserting shell metacharacters (like ;, &, |, or `) into these inputs, an attacker can break out of the intended command and execute their own code on the underlying server.

Impact and Severity

This vulnerability is rated CRITICAL with a CVSS score of 9.6. The high score is due to the attack being possible over a network (Attack Vector: NETWORK), requiring low technical skill to perform (Attack Complexity: LOW), and needing no prior privileges (Privileges Required: NONE). Successful exploitation could lead to:

• Full compromise of the server hosting the PraisonAI instance.
• Data theft, deletion, or encryption.
• Deployment of persistent backdoors or malware.
• Use of the server as a launch point for attacks on internal networks.

Remediation and Mitigation

The primary and only complete mitigation is to upgrade PraisonAI to version 4.5.121 or later immediately. The vendor has patched the insecure functions in this release. If immediate upgrading is not possible, consider these temporary measures while planning the upgrade:

• Isolate the affected PraisonAI instance from other critical network segments.
• Restrict access to the PraisonAI interface to only trusted, necessary users.
• Review system and application logs for any unusual command execution patterns.

Security Insight

This vulnerability highlights the inherent risks when AI agent systems are granted the ability to interact with foundational OS components like the shell. As frameworks like PraisonAI automate complex tasks, a single injection point can cascade into a full system breach, underscoring the need for rigorous input validation in all AI-agent-to-system interfaces. This incident mirrors the growing trend where the adoption of AI-powered tools by attackers is met by vulnerabilities in the very AI automation platforms defenders are adopting.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs