PraisonAI Flaw: Untrusted YAML Leads to RCE

/CRITICAL
SCW vulnerabilitycvecriticalhigh-severitycode-executioncwe-78cwe-94
PraisonAI Flaw: Untrusted YAML Leads to RCE

A critical remote code execution (RCE) vulnerability, tracked as CVE-2026-40288, has been identified in PraisonAI’s multi-agent teams system. According to the National Vulnerability Database, versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents are susceptible due to insufficient validation of untrusted YAML files within the workflow engine.

The core issue lies in how the praisonai workflow run <file.yaml> command processes YAML files with type: job. The JobWorkflowExecutor in job_workflow.py fails to properly sanitize or sandbox steps that leverage run: for shell commands, script: for inline Python, or python: for arbitrary Python script execution. This allows an attacker to inject and execute arbitrary commands or code on the host system without any user confirmation, leading to full system compromise.

This flaw, rated a staggering 9.8 CVSS (CRITICAL), is particularly dangerous in environments where attackers can influence or supply workflow YAML files, such as CI/CD pipelines, shared code repositories, or multi-tenant deployments. The National Vulnerability Database highlights CWE-78 (Improper Neutralization of Special Elements used in an OS Command) and CWE-94 (Improper Control of Generation of Code (‘Code Injection’)) as the underlying weaknesses. Patches are available in PraisonAI version 4.5.139 and praisonaiagents version 1.5.140.

Related ATT&CK Techniques

T1059.001 Command and Scripting Interpreter: Python Execution T1059.004 Command and Scripting Interpreter: Unix Shell Execution T1505.003 Server Software Component: Exploit via Code Injection Initial Access

🛡️ Detection Rules

5 rules · 5 SIEM formats

5 auto-generated detection rules for this incident, mapped to MITRE ATT&CK. Available in Sigma, Splunk SPL, Sentinel KQL, Elastic Lucene, and QRadar AQL.

high T1059.001 Execution

Suspicious PowerShell Execution

Sigma Splunk SPL Sentinel KQL Elastic QRadar AQL

Get this rule in your SIEM's native format — copy, paste, detect. No manual conversion.

5 Sigma rules mapped to the ATT&CK techniques from this breach — pick your SIEM and get a ready-to-paste query.

Get Detection Rules →

Indicators of Compromise

IDTypeIndicator
CVE-2026-40288 RCE PraisonAI versions < 4.5.139
CVE-2026-40288 RCE praisonaiagents versions < 1.5.140
CVE-2026-40288 Command Injection Vulnerable workflow engine processing untrusted YAML files via 'praisonai workflow run ' with 'type: job' and 'run:' step
CVE-2026-40288 Code Injection Vulnerable workflow engine processing untrusted YAML files via 'praisonai workflow run ' with 'type: job' and 'script:' step (inline Python via exec())
CVE-2026-40288 Code Injection Vulnerable workflow engine processing untrusted YAML files via 'praisonai workflow run ' with 'type: job' and 'python:' step (arbitrary Python script execution)

By Shimi's Cyber World Editorial

Related Posts

Critical RCE Flaw Hits NuGet Gallery Backend

CVE-2026-39399 — NuGet Gallery is a package repository that powers nuget.org. A security vulnerability exists in the NuGetGallery backend job’s handling of .nuspec files within...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-20cwe-22
/CRITICAL /⚑ 4 IOCs

BoidCMS LFI to RCE: A Critical Template Flaw

CVE-2026-39387 — BoidCMS is an open-source, PHP-based flat-file CMS for building simple websites and blogs, using JSON as its database. Versions prior to 2.1.3 are...

vulnerabilityCVEhigh-severityremote-code-executioncwe-98
/HIGH /⚑ 4 IOCs

Nanobot AI: WebSocket Hijack Puts WhatsApp Sessions at Risk

CVE-2026-35589 — nanobot is a personal AI assistant. Versions prior to 0.1.5 contain a Cross-Site WebSocket Hijacking (CSWSH) vulnerability exists in the bridge's WebSocket server...

vulnerabilityCVEhigh-severitycwe-1385
/HIGH /⚑ 5 IOCs