CVE-2026-40288

Description

`praisonai workflow run <file.yaml>` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt)

How to fix CVE-2026-40288

To remediate CVE-2026-40288, upgrade the affected package to a fixed version below.

• —upgrade to 4.5.139 or later
• —upgrade to 1.5.140 or later

Is CVE-2026-40288 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

• from 0, < 4.5.139
• from 0, < 1.5.140

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-40288
• PATCHgithub.com/MervinPraison/PraisonAI
• WEBgithub.com/MervinPraison/PraisonAI/releases/tag/v4.5.139
• WEBgithub.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm