Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
Published: 2026-04-09
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Secret Exfiltration
Action: Immediate Patch
AI Analysis

Impact

PraisonAIAgents is a multi‑agent system used for orchestrating AI workloads. In releases before version 1.5.128 the execute_command routine in shell_tools.py applies os.path.expandvars() to every supplied argument even though shell=False is used. This unintended expansion allows an attacker to have environment variables such as database passwords, API keys, or cloud access tokens inserted into the command that actually runs, while the approval interface continues to display the original unexpanded $VAR syntax. The consequence is that privileged secrets can be leaked out of the system without the end‑user’s awareness, creating a deceptive approval process and a potential exposure of credential data.

Affected Systems

The vulnerability affects instances of PraisonAIAgents published by MervinPraison, specifically all versions earlier than 1.5.128. Version 1.5.128 and later incorporate a fix that removes the manual variable expansion step.

Risk and Exploitability

The issue carries a CVSS base score of 7.4, indicating moderate‑to‑high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be able to influence command arguments or set environment variables on the host; thus the exposure is likely limited to privileged or local users. Nonetheless, the privacy impact of secret exfiltration makes the problem significant, especially in environments where sensitive credentials are stored in environment variables.

Generated by OpenCVE AI on April 9, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patched version 1.5.128 or any newer release from MervinPraison immediately.
  • If an immediate update is not possible, temporarily disable the os.path.expandvars() call in shell_tools.py or enforce shell=True for command execution.
  • Verify that the approval system displays the correctly expanded command and does not show undeclared $VAR references.
  • Remove or mask sensitive environment variables from the host environment when feasible to reduce the attack surface.
  • Monitor command execution logs for anomalous patterns that may indicate exfiltration attempts.

Generated by OpenCVE AI on April 9, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v8g7-9q6v-p3x8 PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
History

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonaiagents

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonaiagents

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
Title PraisonAIAgents Affected by Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
Weaknesses CWE-526
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N'}

Subscriptions

Mervinpraison Praisonaiagents
Praison Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:37:40.235Z

Reserved: 2026-04-09T19:31:56.013Z

Link: CVE-2026-40153

cve-icon Vulnrichment

Updated: 2026-04-13T15:26:48.645Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:36.350

Modified: 2026-04-20T19:55:29.037

Link: CVE-2026-40153

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:16Z

Weaknesses
  • CWE-526

    Cleartext Storage of Sensitive Information in an Environment Variable