Vulnerability in PraisonAIAgents Multi-Agent System Exposes Environment Variables
CVE-2026-40153

7.4HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonaiagents
Vendor: CVE Published:; 9 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-40153?

The PraisonAIAgents multi-agent teams system prior to version 1.5.128 introduces a security flaw in its command execution process. The 'execute_command' function in 'shell_tools.py' improperly handles environment variables, allowing sensitive information such as database credentials and API keys to be exfiltrated. The vulnerability occurs because the system displays unexpanded variable references to reviewers, potentially misleading them into believing commands are safe. This deceptive interface could allow malicious actors to glean sensitive information that should remain confidential.

Affected Version(s)

PraisonAIAgents < 1.5.128

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.4

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40153 Data

JSON