{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40288/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-40288"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI","praisonaiagents"],"_cs_severities":["critical"],"_cs_tags":["praisonai","yaml","code-execution","cve-2026-40288"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, contains a critical vulnerability (CVE-2026-40288) affecting versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. This flaw resides in the workflow engine and allows for arbitrary command and code execution through the use of untrusted YAML files. Specifically, when a YAML file with \u003ccode\u003etype: job\u003c/code\u003e is loaded, the \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e processes steps like \u003ccode\u003erun\u003c/code\u003e, \u003ccode\u003escript\u003c/code\u003e, and \u003ccode\u003epython\u003c/code\u003e without proper validation or sandboxing. An attacker who can supply or influence a workflow YAML file can execute arbitrary commands on the host system. This poses a significant risk, especially in CI/CD pipelines, shared repositories, or multi-tenant environments where workflow files may be easily accessible or modifiable, leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains the ability to supply or influence a workflow YAML file within a PraisonAI environment. This could involve compromising a shared repository or manipulating a CI/CD pipeline.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious YAML file containing a \u003ccode\u003etype: job\u003c/code\u003e definition.\u003c/li\u003e\n\u003cli\u003eWithin the YAML file, the attacker utilizes the \u003ccode\u003erun:\u003c/code\u003e step to inject arbitrary shell commands. Alternatively, they could use the \u003ccode\u003escript:\u003c/code\u003e step for inline Python code execution or the \u003ccode\u003epython:\u003c/code\u003e step to specify an arbitrary Python script.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epraisonai workflow run \u0026lt;file.yaml\u0026gt;\u003c/code\u003e command is executed, loading the malicious YAML file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eJobWorkflowExecutor\u003c/code\u003e in \u003ccode\u003ejob_workflow.py\u003c/code\u003e processes the YAML file.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eaction_run()\u003c/code\u003e function in \u003ccode\u003eworkflow.py\u003c/code\u003e is called, which in turn executes the injected code via \u003ccode\u003e_exec_shell()\u003c/code\u003e, \u003ccode\u003e_exec_inline_python()\u003c/code\u003e, or \u003ccode\u003e_exec_python_script()\u003c/code\u003e in \u003ccode\u003ejob_workflow.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe arbitrary command or code is executed on the host system without validation or user confirmation.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves full arbitrary command execution, potentially compromising the machine, accessing sensitive data, or obtaining credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system running PraisonAI. This can lead to complete system compromise, including unauthorized access to sensitive data, credential theft, and the potential for lateral movement within the network. The vulnerability is particularly dangerous in environments with shared workflow configurations or multi-tenant deployments. While specific victim counts are unavailable, any system running the vulnerable versions of PraisonAI or praisonaiagents is at risk, potentially leading to significant data breaches and operational disruption.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40288.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detect PraisonAI Workflow YAML Execution\u0026quot; to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement strict access controls and input validation for workflow YAML files to prevent unauthorized modification or injection of malicious code.\u003c/li\u003e\n\u003cli\u003eMonitor process execution logs for suspicious commands originating from PraisonAI processes, as detected by the \u0026quot;Suspicious Process Execution from PraisonAI\u0026quot; Sigma rule.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-23T12:00:00Z","date_published":"2024-01-23T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-23-praisonai-yaml-exec/","summary":"PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to arbitrary command execution via untrusted YAML files processed by the workflow engine.","title":"PraisonAI Workflow Engine Vulnerability CVE-2026-40288","url":"https://feed.craftedsignal.io/briefs/2024-01-23-praisonai-yaml-exec/"}],"language":"en","title":"CraftedSignal Threat Feed - Cve-2026-40288","version":"https://jsonfeed.org/version/1.1"}