CVE-2026-40088

Name of the Vulnerable Software and Affected Versions: PraisonAI versions prior to 4.5.121

Description: PraisonAI's workflow system and command execution tools are susceptible to command injection attacks because they pass user-controlled input directly to subprocess.run() with shell=True. This allows attackers to inject arbitrary shell commands through shell metacharacters. Input sources include YAML workflow definitions, agent configuration files (agents.yaml), recipe step configurations, and LLM-generated tool call parameters. The shell=True parameter causes the shell to interpret metacharacters, enabling the execution of unintended commands. The vulnerability exists in the execute command function and workflow shell execution. Attackers can exploit this to read sensitive files, modify system files, or execute arbitrary commands with user privileges. Several proof-of-concept attacks demonstrate the vulnerability through malicious YAML workflows, agent configurations, direct API injection, and LLM prompt injection chains. The impact includes potential data exfiltration, system compromise, and remote code execution.

Recommendations: Update to version 4.5.121 or later. As a temporary workaround, disable shell execution by default by using shell=False unless explicitly required. Validate input to reject commands containing dangerous characters. Use safe execution by passing commands as argument lists instead of raw strings.