CVE-2026-40153

Name of the Vulnerable Software and Affected Versions PraisonAIAgents versions prior to 1.5.128

Description PraisonAIAgents is a multi-agent teams system. The execute command function in shell tools.py calls os.path.expandvars() on every command argument, allowing exfiltration of secrets stored in environment variables. The approval system displays unexpanded environment variable references to reviewers, creating a deceptive approval process where the displayed command differs from the executed command.

Recommendations Update to version 1.5.128 or later.