PraisonAI workflow engine unauthenticated RCE (CVE-2026-40288)

Patch now - CVE-2026-40288 is a critical unauthenticated remote code execution vulnerability in PraisonAI workflow engine (versions before 4.5.139) and praisonaiagents (versions before 1.5.140) that grants attackers full command and code execution on the host system by processing untrusted YAML workflow files. No user interaction or privileges are required, making immediate patching essential.

Overview

A critical vulnerability in the PraisonAI workflow engine allows attackers to execute arbitrary commands and code on the host system. The flaw exists in how the system processes untrusted YAML workflow files, requiring no authentication or user interaction to be exploited.

Vulnerability Details

The vulnerability, tracked as CVE-2026-40288 with a CVSS score of 9.8, is located in the JobWorkflowExecutor component. When PraisonAI runs a workflow using the praisonai workflow run <file.yaml> command, it processes YAML files containing a type: job directive. The steps within these files can use three key functions: run: for shell command execution, script: for inline Python code, and python: for arbitrary script execution.

The affected code paths in versions prior to PraisonAI 4.5.139 and praisonaiagents 1.5.140 include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. These functions execute their respective payloads without any validation, sandboxing, or user confirmation.

Impact and Attack Vector

An attacker who can supply or influence a workflow YAML file gains full remote code execution on the host system. This is particularly dangerous in CI/CD pipelines, shared code repositories, or multi-tenant deployment environments where workflow files might be automatically processed. Successful exploitation compromises the entire machine, allowing access to sensitive data, credentials, and potentially enabling lateral movement within a network.

The attack vector is network-based, requires no privileges, and no user interaction, making it highly exploitable.

Remediation and Mitigation

The primary remediation is immediate patching. Users must upgrade to PraisonAI version 4.5.139 or praisonaiagents version 1.5.140, where this vulnerability has been fixed.

If immediate patching is not possible, organizations should implement strict controls on the origin and integrity of YAML workflow files processed by PraisonAI. Do not process YAML files from untrusted sources, and consider implementing manual review steps for workflow files in automated pipelines until the update can be applied.

Security Insight

This vulnerability underscores the inherent risk in powerful, low-code automation tools that execute code based on user-supplied configurations. Similar to past incidents in CI/CD tooling, it highlights how a feature designed for flexibility-like direct shell command execution from a config file-can become a critical security liability if not paired with robust isolation and validation. As AI-powered agents and automation become more prevalent, the rush to adopt new capabilities must be balanced with foundational security reviews to prevent such high-severity oversights.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs