<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cve-2026-40288 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/cve-2026-40288/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Tue, 23 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/cve-2026-40288/feed.xml" rel="self" type="application/rss+xml"/><item><title>PraisonAI Workflow Engine Vulnerability CVE-2026-40288</title><link>https://feed.craftedsignal.io/briefs/2024-01-23-praisonai-yaml-exec/</link><pubDate>Tue, 23 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-23-praisonai-yaml-exec/</guid><description>PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to arbitrary command execution via untrusted YAML files processed by the workflow engine.</description><content:encoded><![CDATA[<p>PraisonAI, a multi-agent teams system, contains a critical vulnerability (CVE-2026-40288) affecting versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. This flaw resides in the workflow engine and allows for arbitrary command and code execution through the use of untrusted YAML files. Specifically, when a YAML file with <code>type: job</code> is loaded, the <code>JobWorkflowExecutor</code> processes steps like <code>run</code>, <code>script</code>, and <code>python</code> without proper validation or sandboxing. An attacker who can supply or influence a workflow YAML file can execute arbitrary commands on the host system. This poses a significant risk, especially in CI/CD pipelines, shared repositories, or multi-tenant environments where workflow files may be easily accessible or modifiable, leading to complete system compromise.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains the ability to supply or influence a workflow YAML file within a PraisonAI environment. This could involve compromising a shared repository or manipulating a CI/CD pipeline.</li>
<li>The attacker crafts a malicious YAML file containing a <code>type: job</code> definition.</li>
<li>Within the YAML file, the attacker utilizes the <code>run:</code> step to inject arbitrary shell commands. Alternatively, they could use the <code>script:</code> step for inline Python code execution or the <code>python:</code> step to specify an arbitrary Python script.</li>
<li>The <code>praisonai workflow run &lt;file.yaml&gt;</code> command is executed, loading the malicious YAML file.</li>
<li>The <code>JobWorkflowExecutor</code> in <code>job_workflow.py</code> processes the YAML file.</li>
<li>The <code>action_run()</code> function in <code>workflow.py</code> is called, which in turn executes the injected code via <code>_exec_shell()</code>, <code>_exec_inline_python()</code>, or <code>_exec_python_script()</code> in <code>job_workflow.py</code>.</li>
<li>The arbitrary command or code is executed on the host system without validation or user confirmation.</li>
<li>The attacker achieves full arbitrary command execution, potentially compromising the machine, accessing sensitive data, or obtaining credentials.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the host system running PraisonAI. This can lead to complete system compromise, including unauthorized access to sensitive data, credential theft, and the potential for lateral movement within the network. The vulnerability is particularly dangerous in environments with shared workflow configurations or multi-tenant deployments. While specific victim counts are unavailable, any system running the vulnerable versions of PraisonAI or praisonaiagents is at risk, potentially leading to significant data breaches and operational disruption.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40288.</li>
<li>Deploy the Sigma rule &quot;Detect PraisonAI Workflow YAML Execution&quot; to your SIEM to detect potential exploitation attempts.</li>
<li>Implement strict access controls and input validation for workflow YAML files to prevent unauthorized modification or injection of malicious code.</li>
<li>Monitor process execution logs for suspicious commands originating from PraisonAI processes, as detected by the &quot;Suspicious Process Execution from PraisonAI&quot; Sigma rule.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>praisonai</category><category>yaml</category><category>code-execution</category><category>cve-2026-40288</category></item></channel></rss>