Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128.
Published: 2026-04-10
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Update
AI Analysis

Impact

PraisonAI’s MCP integration previously allowed arbitrary user-supplied commands to spawn background servers via Python’s subprocess module. The implementation forwarded the complete parent environment to the subprocess, resulting in all host process environment variables—including sensitive API keys, authentication tokens, and database credentials—being exposed to the spawned process. This exposed attackers to the potential leakage of confidential data and facilitated supply‑chain attacks by allowing untrusted code to exfiltrate secrets without additional user interaction. The vulnerability’s root cause aligns with CWE‑200 and CWE‑214.

Affected Systems

The affected product is PraisonAI, version 4.5.127 and earlier. The MFA functionality is applicable to all deployments of the MCP protocol exposed by versions prior to 4.5.128.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity, and the lack of an available EPSS score prevents precise exploitation probability assessment. PRAISONAI is not listed in the CISA Known Exploited Vulnerabilities catalog, but the nature of the flaw allows an attacker with access to the MCP command interface to retrieve environment variables, potentially compromising authentication credentials. The most likely attack vector involves an adversary controlling or influencing the command string passed to the MCP integration, which is then executed in a subprocess inheriting the host environment.

Generated by OpenCVE AI on April 10, 2026 at 18:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the patch that updates PraisonAI to version 4.5.128 or newer.

Generated by OpenCVE AI on April 10, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pj2r-f9mw-vrcq PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution
History

Mon, 20 Apr 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Wed, 15 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128.
Title PraisonAI Exposes Sensitive Environment Variable via Untrusted MCP Subprocess Execution
Weaknesses CWE-200
CWE-214
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-15T14:48:42.389Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40159

cve-icon Vulnrichment

Updated: 2026-04-15T14:48:36.605Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:13.763

Modified: 2026-04-20T18:33:49.580

Link: CVE-2026-40159

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:15Z

Weaknesses