CVE-2026-40113

Exploit

EPSS 0.02%
Veröffentlicht 09.04.2026 22:16:34
Zuletzt bearbeitet 17.04.2026 19:35:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run
deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Praison ≫ Praisonai Version < 4.5.128

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.051

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.8	5.2	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
security-advisories@github.com	8.4	2	5.8	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-40113

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40113

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40113

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40113