CVE-2026-40113: PraisonAI: arg injection injects env vars into Cloud Run
GHSA-fvxx-ggmx-3cjg HIGH CISA: ATTENDPraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.
What is the risk?
High severity (CVSS 8.4) with low attack complexity and low privilege requirements. The Scope:Changed rating is the critical signal here — the exploit crosses a security boundary from the deploy host into the live Cloud Run service, amplifying blast radius beyond the attacker's initial foothold. While the local attack vector limits opportunistic internet-scale exploitation, shared build environments, compromised CI runners, or multi-tenant developer workstations present a realistic threat surface. No active exploitation evidence reduces urgency marginally, but the technique requires zero AI/ML expertise — any developer-level attacker can weaponize it.
How does the attack unfold?
What systems are affected?
How severe is it?
What is the attack surface?
What should I do?
5 steps-
Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud.
-
For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected.
-
Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions.
-
Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values.
-
Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-40113?
PraisonAI's deploy.py constructs the gcloud --set-env-vars argument by directly string-interpolating openai_model, openai_key, and openai_base without sanitizing commas, allowing anyone with low-privilege access to the deploy environment to inject arbitrary environment variables into the resulting Cloud Run service. With a CVSS of 8.4 (Scope:Changed, C:High, I:High), a successful exploit can overwrite API keys, redirect agent communication to adversary-controlled endpoints, or corrupt runtime secrets in the deployed multi-agent service — all without touching service code. No public exploit exists and the vulnerability is absent from CISA KEV, but the trivial exploitation complexity (insert a comma into a config value) makes this a real risk in shared CI/CD runners or developer workstations where pipeline credentials are present. Upgrade to PraisonAI 4.5.128 immediately and audit existing Cloud Run services for unexpected environment variable additions.
Is CVE-2026-40113 actively exploited?
No confirmed active exploitation of CVE-2026-40113 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-40113?
1. Upgrade PraisonAI to 4.5.128 or later — this version validates and sanitizes the env-var string before passing it to gcloud. 2. For services already deployed with vulnerable versions, audit Cloud Run environment variables via 'gcloud run services describe <service> --format=json | jq .spec.template.spec.containers[].env' to verify no unexpected KEY=VALUE pairs were injected. 3. Rotate all API keys (openai_key, openai_base) that transited deploy.py in affected versions. 4. Review CI/CD pipeline access controls to ensure only authorized principals can set openai_model, openai_key, and openai_base values. 5. Detection: monitor Cloud Audit Logs for gcloud run deploy invocations with anomalously long or comma-heavy --set-env-vars arguments, or environment variable names that do not match your expected deployment schema.
What systems are affected by CVE-2026-40113?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, cloud-deployed AI services, CI/CD deployment pipelines.
What is the CVSS score for CVE-2026-40113?
CVE-2026-40113 has a CVSS v3.1 base score of 8.4 (HIGH). The EPSS exploitation probability is 0.23%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0050 Command and Scripting Interpreter AML.T0055 Unsecured Credentials AML.T0081 Modify AI Agent Configuration Compliance Controls Affected
What are the technical details?
Original Advisory
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.
Exploitation Scenario
An attacker with low-privilege access to a CI/CD runner or developer workstation sets openai_key to a value such as 'sk-legitimate-key,MALICIOUS_VAR=https://attacker.example.com'. When deploy.py runs gcloud run deploy with this value, gcloud parses the comma as a KEY=VALUE separator and injects MALICIOUS_VAR into the Cloud Run service as a legitimate environment variable. If the PraisonAI agent or any downstream tool consumes MALICIOUS_VAR as a webhook, callback URL, or secondary API endpoint, all agent outputs, function call results, or accumulated context are redirected to the attacker's server — achieving data exfiltration from a production AI agent pipeline without modifying any service source code.
Weaknesses (CWE)
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Primary
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Primary
CWE-88 — Improper Neutralization of Argument Delimiters in a Command ('Argument Injection'): The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
- [Implementation] Where possible, avoid building a single string that contains the command and its arguments. Some languages or frameworks have functions that support specifying independent arguments, e.g. as an array, which is used to automatically perform the appropriate quoting or escaping while building the command. For example, in PHP, escapeshellarg() can be used to escape a single argument to system(), or exec() can be called with an array of arguments. In C, code can often be refactored from using system() - which accepts a single string - to using exec(), which requires separate function arguments for each parameter.
- [Architecture and Design] Understand all the potential areas where untrusted inputs can enter your product: parameters or arguments, cookies, anything read from the network, environment variables, request headers as well as content, URL components, e-mail, files, databases, and any external systems that provide data to the application. Perform input validation at well-defined interfaces.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N References
Timeline
Related Vulnerabilities
GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai GHSA-9qhq-v63v-fv3j 9.8 PraisonAI: RCE via MCP command injection
Same package: praisonai CVE-2026-39890 9.8 PraisonAI: YAML deserialization enables unauthenticated RCE
Same package: praisonai