PraisonAI Workflow Engine Vulnerability CVE-2026-40288
PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to arbitrary command execution via untrusted YAML files processed by the workflow engine.
PraisonAI, a multi-agent teams system, contains a critical vulnerability (CVE-2026-40288) affecting versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. This flaw resides in the workflow engine and allows for arbitrary command and code execution through the use of untrusted YAML files. Specifically, when a YAML file with type: job is loaded, the JobWorkflowExecutor processes steps like run, script, and python without proper validation or sandboxing. An attacker who can supply or influence a workflow YAML file can execute arbitrary commands on the host system. This poses a significant risk, especially in CI/CD pipelines, shared repositories, or multi-tenant environments where workflow files may be easily accessible or modifiable, leading to complete system compromise.
Attack Chain
- An attacker gains the ability to supply or influence a workflow YAML file within a PraisonAI environment. This could involve compromising a shared repository or manipulating a CI/CD pipeline.
- The attacker crafts a malicious YAML file containing a
type: jobdefinition. - Within the YAML file, the attacker utilizes the
run:step to inject arbitrary shell commands. Alternatively, they could use thescript:step for inline Python code execution or thepython:step to specify an arbitrary Python script. - The
praisonai workflow run <file.yaml>command is executed, loading the malicious YAML file. - The
JobWorkflowExecutorinjob_workflow.pyprocesses the YAML file. - The
action_run()function inworkflow.pyis called, which in turn executes the injected code via_exec_shell(),_exec_inline_python(), or_exec_python_script()injob_workflow.py. - The arbitrary command or code is executed on the host system without validation or user confirmation.
- The attacker achieves full arbitrary command execution, potentially compromising the machine, accessing sensitive data, or obtaining credentials.
Impact
Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system running PraisonAI. This can lead to complete system compromise, including unauthorized access to sensitive data, credential theft, and the potential for lateral movement within the network. The vulnerability is particularly dangerous in environments with shared workflow configurations or multi-tenant deployments. While specific victim counts are unavailable, any system running the vulnerable versions of PraisonAI or praisonaiagents is at risk, potentially leading to significant data breaches and operational disruption.
Recommendation
- Immediately upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40288.
- Deploy the Sigma rule "Detect PraisonAI Workflow YAML Execution" to your SIEM to detect potential exploitation attempts.
- Implement strict access controls and input validation for workflow YAML files to prevent unauthorized modification or injection of malicious code.
- Monitor process execution logs for suspicious commands originating from PraisonAI processes, as detected by the "Suspicious Process Execution from PraisonAI" Sigma rule.
Detection coverage 2
Detect PraisonAI Workflow YAML Execution
highDetects execution of the `praisonai workflow run` command, which can load and execute arbitrary YAML files containing malicious code.
Suspicious Process Execution from PraisonAI
mediumDetects suspicious process execution originating from PraisonAI processes, indicating potential code execution via YAML files.
Detection queries are available on the platform. Get full rules →