PraisonAI leaks GitHub tokens in public artifacts (CVE-2026-40313)

Patch now - CVE-2026-40313 is a critical credential leak in PraisonAI multi-agent framework versions 4.5.139 and below that lets unauthenticated attackers steal GitHub tokens from build artifacts. This enables full software supply chain compromise to push malicious code and poison releases.

Overview

A critical vulnerability in the PraisonAI multi-agent framework’s continuous integration (CI) pipelines could allow attackers to steal credentials and compromise its software supply chain. The flaw, tracked as CVE-2026-40313, is present in versions 4.5.139 and below.

Vulnerability Details

The vulnerability is an instance of the “ArtiPACKED” attack. In affected versions, PraisonAI’s GitHub Actions workflows use the actions/checkout step without the critical security setting persist-credentials: false. This default behavior writes sensitive authentication tokens, like the GITHUB_TOKEN, into the .git/config file of the workflow’s workspace.

When the workflow subsequently creates and uploads public artifacts-such as build logs, test results, or compiled packages-these tokens can be inadvertently bundled inside them. Because PraisonAI is a public repository, any user can download these artifacts and extract the leaked credentials.

Impact

A successful attacker who obtains these tokens could perform a full supply chain compromise. This includes:

• Pushing malicious code directly into the repository.
• Poisoning official software releases and packages published to PyPI or Docker Hub.
• Stealing other repository secrets.
• Compromising the integrity of the framework for all downstream users and applications.

The attack requires no privileges (unauthenticated) and no user interaction, with a low attack complexity, leading to its critical CVSS score of 9.1.

Remediation and Mitigation

The primary and immediate action is to update PraisonAI to version 4.5.140 or later, where the maintainers have corrected the flawed workflow configurations.

For organizations managing their own GitHub Actions workflows, this serves as a critical reminder to audit all uses of actions/checkout. Always explicitly set persist-credentials: false unless a specific, justified downstream step requires persistent credentials. Furthermore, implement practices to ensure build artifacts do not contain sensitive files or directory histories. Regularly review and clean up old workflow artifacts.

Security Insight

CVE-2026-40313 is a stark example of how foundational security hygiene in DevOps tooling is often overlooked in the rush to adopt advanced platforms like AI agent systems. It mirrors the risk seen in incidents like the GlassWorm attack, where stolen automation tokens became a primary attack vector. This vulnerability underscores that the complexity of modern CI/CD pipelines can introduce critical, silent failures-where a single default setting can undermine the entire security posture of a project, highlighting the gap between AI SOC Agent hype and the persistent reality of secrets management.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs