CVE-2026-40159

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI’s Model Context Protocol (MCP) integration allows spawning background servers via stdio using user-supplied command strings, such as MCP("npx -y @smithery/cli ..."). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. This means any MCP command inherits all environment variables from the host process, including sensitive data like API keys, authentication tokens, and database credentials. This poses a security risk when using untrusted or third-party commands, as arbitrary code from external or compromised packages can execute with access to these inherited environment variables, potentially leading to credential exposure and supply chain attacks. A proof-of-concept (POC) demonstrates the ability to exfiltrate environment variables to an attacker-controlled server using a malicious MCP command. The vulnerability allows attackers to access secrets defined in .env files or runtime configurations, potentially leading to unauthorized access to external services, data breaches, and infrastructure compromise.

Recommendations Prior to version 4.5.128, sanitize env dictionaries before passing them to subprocess. Explicitly remove known sensitive API keys (OPENAI API KEY, keys matching * API KEY, * TOKEN, etc.) from child processes unless explicitly whitelisted by the user. Provide a strict allowlist parameter for variables that the developer intends to pass down. Advise users in the documentation about the risks of using npx -y when loading MCP tools.