CVE-2026-40113: PraisonAI: arg injection injects env vars into Cloud Run

GHSA-fvxx-ggmx-3cjg HIGH CISA: ATTEND
Published April 9, 2026
CISO Take

PraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High severity (CVSS 8.4) with low attack complexity and low privilege requirements. The Scope:Changed rating is the critical signal here — the exploit crosses a security boundary from the deploy host into the live Cloud Run service, amplifying blast radius beyond the attacker's initial foothold. While the local attack vector limits opportunistic internet-scale exploitation, shared build environments, compromised CI runners, or multi-tenant developer workstations present a realistic threat surface. No active exploitation evidence reduces urgency marginally, but the technique requires zero AI/ML expertise — any developer-level attacker can weaponize it.

How does the attack unfold?

Initial Access
Attacker gains low-privilege access to the deploy environment — a developer workstation, CI runner, or shared build system — where PraisonAI deployment configuration is stored or settable.
AML.T0012
Payload Crafting
Attacker sets openai_key, openai_model, or openai_base to a value containing a comma followed by 'INJECTED_VAR=attacker-controlled-value', exploiting the lack of input validation in deploy.py.
AML.T0050
Argument Injection
deploy.py passes the unsanitized string to gcloud run deploy --set-env-vars; gcloud parses the embedded comma as a KEY=VALUE separator and injects the attacker-controlled variable into the Cloud Run service environment.
AML.T0081
Impact
The deployed PraisonAI agent service starts with attacker-injected environment variables, potentially overriding API keys, redirecting tool calls or webhooks to adversary-controlled infrastructure, or exfiltrating accumulated agent context.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip < 4.5.128 4.5.128
1 dependents 82% patched ~0d to patch Full package profile →
PraisonAI pip No patch
1 dependents 82% patched ~0d to patch Full package profile →

How severe is it?

CVSS 3.1
8.4 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 14% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Changed
C High
I High
A None

What should I do?

5 steps
  1. Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud.

  2. For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected.

  3. Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions.

  4. Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values.

  5. Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.2.6 - Secure development and deployment practices
NIST AI RMF
MANAGE 2.4 - Residual risks are managed
OWASP LLM Top 10
LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-40113?

PraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.

Is CVE-2026-40113 actively exploited?

No confirmed active exploitation of CVE-2026-40113 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40113?

1. Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud. 2. For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected. 3. Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions. 4. Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values. 5. Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.

What systems are affected by CVE-2026-40113?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, cloud-deployed AI services, CI/CD deployment pipelines.

What is the CVSS score for CVE-2026-40113?

CVE-2026-40113 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.23%.

What is the AI security impact?

Affected AI Architectures

agent frameworkscloud-deployed AI servicesCI/CD deployment pipelines

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0050 Command and Scripting Interpreter
AML.T0055 Unsecured Credentials
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15
ISO 42001: A.6.2.6
NIST AI RMF: MANAGE 2.4
OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.

Exploitation Scenario

An attacker with low-privilege access to a CI/CD runner or developer workstation sets openai_key to a value such as 'sk-legitimate-key,MALICIOUS_VAR=https://attacker.example.com'. When deploy.py runs gcloud run deploy with this value, gcloud parses the comma as a KEY=VALUE separator and injects MALICIOUS_VAR into the Cloud Run service as a legitimate environment variable. If the PraisonAI agent or any downstream tool consumes MALICIOUS_VAR as a webhook, callback URL, or secondary API endpoint, all agent outputs, function call results, or accumulated context are redirected to the attacker's server — achieving data exfiltration from a production AI agent pipeline without modifying any service source code.

Weaknesses (CWE)

CWE-88 — Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'): The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

  • [Implementation] Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.
  • [Architecture and Design] Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Timeline

Published
April 9, 2026
Last Modified
April 10, 2026
First Seen
April 9, 2026

Related Vulnerabilities