CVE-2026-40288

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.139 praisonaiagents versions prior to 1.5.140

Description The workflow engine is susceptible to arbitrary command and code execution through untrusted YAML files. When the system loads a YAML file with type: job, the JobWorkflowExecutor in job workflow.py processes steps that support run (shell commands via subprocess.run()), script (inline Python via exec()), and python (arbitrary Python script execution) without validation, sandboxing, or user confirmation. Affected code paths include the action run() function in workflow.py and the exec shell(), exec inline python(), and exec python script() functions in job workflow.py. An attacker who can supply or influence a workflow YAML file, particularly in CI pipelines, shared repositories, or multi-tenant deployment environments, can achieve full arbitrary command execution on the host system.

Recommendations Update PraisonAI to version 4.5.139. Update praisonaiagents to version 1.5.140. Restrict the use of run, script, and python steps in workflow YAML files to trusted sources only.