Description
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Published: 2026-04-14
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

PraisonAI’s workflow engine processes YAML files with type: job that can contain run, script, or python elements. These steps invoke shell commands or inline Python without validation, allowing an attacker to execute arbitrary code on the host system. The vulnerability is identified as CWE-78 and CWE-94, representing OS command injection and code injection. The impact is full remote code execution resulting in complete compromise of the machine and any data or credentials the system can access.

Affected Systems

The affected products are MervinPraison PraisonAI and its agent component praisonaiagents. Versions prior to 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents are vulnerable. The issue was fixed in those specific version thresholds, which are listed as the minimum safe release numbers.

Risk and Exploitability

The CVSS base score of 9.8 reflects critical risk. EPSS data is not available, and it is not listed in the CISA KEV catalog. The likely attack vector is an attacker that can provide or modify a workflow YAML file, which, based on the description, is inferred to occur through CI pipelines, shared code repositories, or multi‑tenant deployment environments. Successful exploitation yields full arbitrary command execution on the host, granting the attacker control over the system and access to all data it can reach.

Generated by OpenCVE AI on April 14, 2026 at 05:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later.
  • Restrict creation and distribution of workflow YAML files to trusted, authenticated users only.
  • Disable or remove untrusted 'type: job' workflows in CI pipelines until the patch is applied.
  • Apply least‑privilege principles to the account running the workflow engine to limit potential damage.
  • Monitor logs for unexpected 'run', 'script', or 'python' execution commands.

Generated by OpenCVE AI on April 14, 2026 at 05:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc46-vw85-3wvm PraisonAI has critical RCE via `type: job` workflow YAML
History

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*
Vendors & Products Praison
Praison praisonai
Praison praisonaiagents

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents

Tue, 14 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Title PraisonAI: Critical RCE via `type: job` workflow YAML
Weaknesses CWE-78
CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Mervinpraison Praisonai Praisonaiagents
Praison Praisonai Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T15:57:15.812Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40288

cve-icon Vulnrichment

Updated: 2026-04-14T15:57:11.673Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T04:17:12.210

Modified: 2026-04-20T17:47:03.130

Link: CVE-2026-40288

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:55Z

Weaknesses