Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
Published: 2026-04-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Command Execution
Action: Immediate Patch
AI Analysis

Impact

PraisonAIAgents allows user–supplied strings to be passed directly to the operating system shell through subprocess.run() with shell=True, and it performs no sanitization. This design flaw enables shell metacharacter injection, giving an adversary the ability to execute arbitrary commands. Two distinct exposure paths exist: configuration hooks registered via pre_run_command and post_run_command events, and the lifecycle configuration file ".praisonai/hooks.json". The latter is particularly dangerous because an attacker who can write to this file—such as by exploiting a prompt injection that grants file‑write access—can overwrite the configuration and have their malicious payload run silently at every lifecycle event without further interaction.

Affected Systems

The vulnerability affects the MervinPraison PraisonAIAgents product prior to version 1.5.128. All releases before 1.5.128 contain the insecure memory hooks executor and are susceptible to command injection. Version 1.5.128 and later have the fix applied.

Risk and Exploitability

The flaw is rated with a CVSS score of 9.3, indicating critical severity. No EPSS score is available, and the issue is not listed in the CISA KEV catalog, suggesting that exploitation may not yet be widespread, though the potential impact remains high. Attacking the flaw requires the ability to supply a crafted command string or to overwrite the hooks.json file, which can be achieved via prompt injection or local write access. Once exploited, the attacker gains the same privileges as the PraisonAIAgents process, allowing full control over the host system.

Generated by OpenCVE AI on April 9, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAIAgents to version 1.5.128 or later to eliminate the injection flaw.
  • If an upgrade is not feasible, restrict write permissions on the ".praisonai/hooks.json" file to trusted users only.
  • Continuously monitor the hooks.json file for unexpected changes and audit agent lifecycle logs for suspicious command execution events.

Generated by OpenCVE AI on April 9, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v7px-3835-7gjx PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
History

Fri, 17 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonaiagents
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonaiagents

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
Title PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Mervinpraison Praisonaiagents
Praison Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:38:08.279Z

Reserved: 2026-04-09T01:41:38.536Z

Link: CVE-2026-40111

cve-icon Vulnrichment

Updated: 2026-04-13T15:27:25.322Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:34.560

Modified: 2026-04-17T19:40:24.213

Link: CVE-2026-40111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:29:03Z

Weaknesses