{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40088/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.6,"id":"CVE-2026-40088"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40088","command-injection","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is susceptible to OS command injection in versions prior to 4.5.121. The vulnerability, identified as CVE-2026-40088, stems from the \u003ccode\u003eexecute_command\u003c/code\u003e function and workflow shell execution, which improperly handles user-controlled input. Attackers can inject arbitrary shell commands through shell metacharacters via agent workflows, YAML definitions, and LLM-generated tool calls. This can lead to complete system compromise. It is critical to upgrade to version 4.5.121 or later to remediate this vulnerability. The CVSS v3.1 base score for this vulnerability is 9.6, indicating a critical severity.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious YAML definition or workflow for PraisonAI.\u003c/li\u003e\n\u003cli\u003eThis crafted input contains shell metacharacters designed to inject arbitrary commands.\u003c/li\u003e\n\u003cli\u003eThe user (victim) imports or executes the attacker-supplied YAML or workflow within PraisonAI.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eexecute_command\u003c/code\u003e function processes the input without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected shell commands are executed by the underlying operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution privileges on the PraisonAI server.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform lateral movement, data exfiltration, or system compromise.\u003c/li\u003e\n\u003cli\u003eThe attacker can further leverage the compromised system to target other systems within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40088 allows an attacker to execute arbitrary commands on the PraisonAI server. This can lead to complete system compromise, data exfiltration, and potential lateral movement within the network. The severity of this vulnerability is rated as critical with a CVSS v3.1 score of 9.6. This could affect any organization using PraisonAI versions prior to 4.5.121.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI to version 4.5.121 or later to patch CVE-2026-40088.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization for all user-supplied data processed by the \u003ccode\u003eexecute_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor PraisonAI logs for suspicious command execution patterns after upgrading.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and restrict permissions of the PraisonAI service account to minimize the impact of successful command injection.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:27Z","date_published":"2026-04-09T20:16:27Z","id":"/briefs/2026-04-praisonai-command-injection/","summary":"PraisonAI versions prior to 4.5.121 are vulnerable to OS command injection, allowing attackers to execute arbitrary shell commands via user-controlled input in agent workflows, YAML definitions, and LLM-generated tool calls.","title":"PraisonAI OS Command Injection Vulnerability (CVE-2026-40088)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40088","version":"https://jsonfeed.org/version/1.1"}