PraisonAI Cloud Run Environment Variable Injection Vulnerability (CVE-2026-40113)
PraisonAI versions before 4.5.128 are vulnerable to arbitrary environment variable injection in Google Cloud Run deployments due to insufficient input validation when constructing the `--set-env-vars` argument, potentially leading to privilege escalation.
PraisonAI, a multi-agent teams system, contains a vulnerability in versions prior to 4.5.128 that allows for arbitrary environment variable injection into Google Cloud Run deployments. The vulnerability, identified as CVE-2026-40113, stems from the deploy.py script's construction of the --set-env-vars argument for the gcloud run deploy command. Specifically, the script directly interpolates the openai_model, openai_key, and openai_base variables into a comma-delimited string without validating for the presence of commas within these values. Since gcloud uses commas as key-value pair separators, a comma within any of these values allows an attacker to inject arbitrary environment variables into the deployed Cloud Run service, leading to potential privilege escalation. This vulnerability poses a significant risk to organizations using vulnerable versions of PraisonAI, allowing attackers to potentially modify application behavior or gain unauthorized access to sensitive resources.
Attack Chain
- The attacker identifies a PraisonAI instance running a version prior to 4.5.128.
- The attacker crafts a malicious payload containing a comma within the
openai_model,openai_key, oropenai_baseparameters. For example, settingopenai_modeltomodel,MALICIOUS_VAR=evil - The attacker triggers the
deploy.pyscript, passing the crafted payload to thegcloud run deploy --set-env-varscommand. gcloudinterprets the comma in the injected value as a separator, parsing the trailing text as additional key-value pairs.- Arbitrary environment variables, as specified in the malicious payload, are injected into the Cloud Run service during deployment.
- The Cloud Run service is deployed with the injected environment variables.
- The attacker leverages the injected environment variables to escalate privileges within the application or gain unauthorized access to resources.
Impact
Successful exploitation of CVE-2026-40113 allows attackers to inject arbitrary environment variables into a deployed Cloud Run service running PraisonAI. This can lead to privilege escalation, unauthorized access to sensitive data, and modification of application behavior. While the exact number of vulnerable PraisonAI instances is unknown, the potential impact includes compromised cloud infrastructure and data breaches, especially for organizations that rely on PraisonAI for critical business functions.
Recommendation
- Upgrade PraisonAI to version 4.5.128 or later to remediate CVE-2026-40113.
- Implement input validation on
openai_model,openai_key, andopenai_baseparameters within thedeploy.pyscript or similar deployment scripts to prevent comma injection, mitigating the vulnerability even in older versions. - Monitor Google Cloud Run deployments for unexpected environment variables using cloud audit logs (service: "cloudtrail") and implement the Sigma rule
Detect Suspicious Google Cloud Run Environment Variable Injection. - Review existing Cloud Run deployments for potentially malicious environment variables and revert to a clean state.
Detection coverage 2
Detect Suspicious Google Cloud Run Environment Variable Injection
highDetects attempts to inject arbitrary environment variables into Google Cloud Run deployments by monitoring suspicious activity related to environment variable settings in cloud audit logs.
Detect PraisonAI deploy.py execution
lowDetects execution of deploy.py which is used to deploy PraisonAI, which may indicate deployment activity and potential exploitation attempts.
Detection queries are available on the platform. Get full rules →