{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40153", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.013Z", "datePublished": "2026-04-09T21:27:45.545Z", "dateUpdated": "2026-04-09T21:27:45.545Z"}, "containers": {"cna": {"title": "PraisonAIAgents Affected by Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool", "problemTypes": [{"descriptions": [{"cweId": "CWE-526", "lang": "en", "description": "CWE-526: Cleartext Storage of Sensitive Information in an Environment Variable", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAIAgents", "versions": [{"version": "< 1.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:27:45.545Z"}, "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128."}], "source": {"advisory": "GHSA-v8g7-9q6v-p3x8", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128."}], "id": "CVE-2026-40153", "lastModified": "2026-04-09T22:16:36.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:36.350", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-526"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAIAgents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T22:36:08.175701+00:00", "value": {"mitigation_remediation": ["Apply the patched version 1.5.128 or any newer release from MervinPraison immediately.", "If an immediate update is not possible, temporarily disable the os.path.expandvars() call in shell_tools.py or enforce shell=True for command execution.", "Verify that the approval system displays the correctly expanded command and does not show undeclared $VAR references.", "Remove or mask sensitive environment variables from the host environment when feasible to reduce the attack surface.", "Monitor command execution logs for anomalous patterns that may indicate exfiltration attempts."], "summary": {"action": "Immediate Patch", "impact": "Secret Exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability affects instances of PraisonAIAgents published by MervinPraison, specifically all versions earlier than 1.5.128. Version 1.5.128 and later incorporate a fix that removes the manual variable expansion step.", "description_and_impact": "PraisonAIAgents is a multi\u2011agent system used for orchestrating AI workloads. In releases before version 1.5.128 the execute_command routine in shell_tools.py applies os.path.expandvars() to every supplied argument even though shell=False is used. This unintended expansion allows an attacker to have environment variables such as database passwords, API keys, or cloud access tokens inserted into the command that actually runs, while the approval interface continues to display the original unexpanded $VAR syntax. The consequence is that privileged secrets can be leaked out of the system without the end\u2011user\u2019s awareness, creating a deceptive approval process and a potential exposure of credential data.", "risk_and_exploitability": "The issue carries a CVSS base score of 7.4, indicating moderate\u2011to\u2011high severity. EPSS data is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker must be able to influence command arguments or set environment variables on the host; thus the exposure is likely limited to privileged or local users. Nonetheless, the privacy impact of secret exfiltration makes the problem significant, especially in environments where sensitive credentials are stored in environment variables."}}}}, "created": "2026-04-10T08:37:11.109920+00:00", "updated": "2026-04-10T09:28:16.186584+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonaiagents"]}