Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2026-40288— PraisonAI: Critical RCE via `type: job` workflow YAML

CVSS 9.8 · Critical EPSS 0.10% · P26
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-40288

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
PraisonAI: Critical RCE via `type: job` workflow YAML
Source: NVD (National Vulnerability Database)
Vulnerability Description
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
PraisonAI 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
PraisonAI是Mervin Praison个人开发者的一个低代码多智能体协作框架。 PraisonAI 4.5.139之前版本和praisonaiagents 1.5.140之前版本存在代码注入漏洞,该漏洞源于工作流引擎处理不受信任的YAML文件,可能导致任意命令和代码执行。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Shenlong Deep Dive — AI Deep Analysis

10-question deep dive: root cause, exploitation, mitigation, urgency. Read summary free, full version requires login.

Read summary Full analysis (login)

Affected Products

VendorProductAffected VersionsCPESubscribe
MervinPraisonPraisonAI < 4.5.139 -
MervinPraisonpraisonaiagents < 1.5.140 -

II. Public POCs for CVE-2026-40288

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-40288

登录查看更多情报信息。

Same Patch Batch · MervinPraison · 2026-04-14 · 5 CVEs total

CVE-2026-403139.1 CRITICALPraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence
CVE-2026-402899.1 CRITICALPraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected exte
CVE-2026-402878.4 HIGHPraisonAI has RCE via Automatic tools.py Import
CVE-2026-40315PraisonAI: SQLiteConversationStore didn't validate table_prefix when constructing SQL quer

IV. Related Vulnerabilities

Same product: PraisonAI
Same vendor: MervinPraison
Same weakness: CWE-78

V. Comments for CVE-2026-40288

No comments yet

Leave a comment