CVE-2026-40088

CRITICAL

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai

Title source: cna

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharacters. This vulnerability is fixed in 4.5.121.

References (2)

[X_Refsource_Confirm] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2763-cj5r-c79m

[X_Refsource_Misc] https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.121

Scores

CVSS v3 9.6

EPSS 0.0005

EPSS Percentile 16.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-78

Status published

Products (4)

MervinPraison/PraisonAI < 4.5.121

praison/praisonai < 4.5.121

pypi/PraisonAI 0 - 4.5.121PyPI

pypi/praisonai 0 - 4.5.121PyPI

Published Apr 09, 2026

Tracked Since Apr 10, 2026