CVE-2026-40113 — HIGH (CVSS 8.4)

CISO Take

PraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High severity (CVSS 8.4) with low attack complexity and low privilege requirements. The Scope:Changed rating is the critical signal here — the exploit crosses a security boundary from the deploy host into the live Cloud Run service, amplifying blast radius beyond the attacker's initial foothold. While the local attack vector limits opportunistic internet-scale exploitation, shared build environments, compromised CI runners, or multi-tenant developer workstations present a realistic threat surface. No active exploitation evidence reduces urgency marginally, but the technique requires zero AI/ML expertise — any developer-level attacker can weaponize it.

Attack Kill Chain

Initial Access

Attacker gains low-privilege access to the deploy environment — a developer workstation, CI runner, or shared build system — where PraisonAI deployment configuration is stored or settable.

AML.T0012

Payload Crafting

Attacker sets openai_key, openai_model, or openai_base to a value containing a comma followed by 'INJECTED_VAR=attacker-controlled-value', exploiting the lack of input validation in deploy.py.

AML.T0050

Argument Injection

deploy.py passes the unsanitized string to gcloud run deploy --set-env-vars; gcloud parses the embedded comma as a KEY=VALUE separator and injects the attacker-controlled variable into the Cloud Run service environment.

AML.T0081

Impact

The deployed PraisonAI agent service starts with attacker-injected environment variables, potentially overriding API keys, redirecting tool calls or webhooks to adversary-controlled infrastructure, or exfiltrating accumulated agent context.

AML.T0086

Initial Access

Attacker gains low-privilege access to the deploy environment — a developer workstation, CI runner, or shared build system — where PraisonAI deployment configuration is stored or settable.

AML.T0012

Payload Crafting

Attacker sets openai_key, openai_model, or openai_base to a value containing a comma followed by 'INJECTED_VAR=attacker-controlled-value', exploiting the lack of input validation in deploy.py.

AML.T0050

Argument Injection

deploy.py passes the unsanitized string to gcloud run deploy --set-env-vars; gcloud parses the embedded comma as a KEY=VALUE separator and injects the attacker-controlled variable into the Cloud Run service environment.

AML.T0081

Impact

The deployed PraisonAI agent service starts with attacker-injected environment variables, potentially overriding API keys, redirecting tool calls or webhooks to adversary-controlled infrastructure, or exfiltrating accumulated agent context.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	< 4.5.128	`4.5.128`
1 dependents 84% patched ~0d to patch Full package profile →
praisonai	pip	—	No patch
1 dependents 84% patched ~0d to patch Full package profile →

Severity & Risk

CVSS 3.1

8.4 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 10% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Changed

C High

I High

A None

What should I do?

5 steps

Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud.
For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected.
Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions.
Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values.
Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Auth Bypass Agent Framework AML.T0010.001 - AI Software AML.T0050 - Command and Scripting Interpreter AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2.6 - Secure development and deployment practices

NIST AI RMF

MANAGE 2.4 - Residual risks are managed

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-40113?

PraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.

Is CVE-2026-40113 actively exploited?

No confirmed active exploitation of CVE-2026-40113 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40113?

1. Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud. 2. For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected. 3. Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions. 4. Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values. 5. Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.

What systems are affected by CVE-2026-40113?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, cloud-deployed AI services, CI/CD deployment pipelines.

What is the CVSS score for CVE-2026-40113?

CVE-2026-40113 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.03%.

AI Security Impact

Affected AI Architectures

agent frameworkscloud-deployed AI servicesCI/CD deployment pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software

AML.T0050 Command and Scripting Interpreter

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.6.2.6

NIST AI RMF: MANAGE 2.4

OWASP LLM Top 10: LLM03:2025

Technical Details

Original Advisory

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.

Exploitation Scenario

An attacker with low-privilege access to a CI/CD runner or developer workstation sets openai_key to a value such as 'sk-legitimate-key,MALICIOUS_VAR=https://attacker.example.com'. When deploy.py runs gcloud run deploy with this value, gcloud parses the comma as a KEY=VALUE separator and injects MALICIOUS_VAR into the Cloud Run service as a legitimate environment variable. If the PraisonAI agent or any downstream tool consumes MALICIOUS_VAR as a webhook, callback URL, or secondary API endpoint, all agent outputs, function call results, or accumulated context are redirected to the attacker's server — achieving data exfiltration from a production AI agent pipeline without modifying any service source code.