Description
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
Published: 2026-04-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credentials leaked via artifact upload exposing supply chain risk
Action: Immediate Patch
AI Analysis

Impact

The insecure use of the actions/checkout GitHub Action in PraisonAI releases 4.5.139 and earlier results in the GITHUB_TOKEN and, in some cases, the ACTIONS_RUNTIME_TOKEN being written to the .git/config file. When any subsequent workflow step uploads artifacts—such as build logs, test results, or other build outputs—the credentials may be embedded in those files. An attacker who can read the repository obtains these artifacts and extracts the leaked tokens. With these tokens, the attacker can push malicious code, poison releases on PyPI or Docker, and potentially compromise downstream users. This behavior demonstrates an improper restriction of remote access (CWE‑829).

Affected Systems

MervinPraison's PraisonAI multi‑agent systems up to version 4.5.139 are affected. The vulnerability has been corrected in version 4.5.140. No other vendors or product variants are listed.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating a high severity. The EPSS score is not available, and the issue is not currently listed in the CISA KEV catalog. Because the repository is public and artifacts are publicly downloadable, the likely attack vector is through any user with read access pulling artifacts that contain the leaked credentials. The vulnerability is tractable and could be exploited unimpeded as long as the unrepaired workflow remains in place, resulting in unauthorized code injection or supply‑chain compromise.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PraisonAI to version 4.5.140 or newer, where the flaw is fixed.
  • Verify that all workflow files no longer rely on actions/checkout with the default persist‑credentials setting; explicitly set persist‑credentials: false if the action is still used.
  • Scan any existing artifacts for residual GITHUB_TOKEN or ACTIONS_RUNTIME_TOKEN values and remove or exclude those artifacts from public distribution.
  • If an immediate upgrade is not possible, modify the actions/checkout usage to explicitly set persist‑credentials: false to prevent the persistence of credentials.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Tue, 14 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
Title PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence
Weaknesses CWE-829
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T16:27:49.836Z

Reserved: 2026-04-10T21:41:54.505Z

Link: CVE-2026-40313

cve-icon Vulnrichment

Updated: 2026-04-14T15:38:49.968Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T04:17:13.890

Modified: 2026-04-20T17:39:52.010

Link: CVE-2026-40313

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:53Z

Weaknesses