CVE-2026-40113

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI is a multi-agent teams system. The deploy.py script constructs a comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai model, openai key, and openai base without validating for commas. The gcloud command uses a comma as a separator for key-value pairs in the --set-env-vars argument. A comma within any of these three values causes gcloud to incorrectly parse subsequent text as additional KEY=VALUE definitions, leading to the injection of arbitrary environment variables into the deployed Cloud Run service.

Recommendations Update PraisonAI to version 4.5.128 or later.