What is CVE-2026-40288?

`praisonai workflow run ` loads untrusted YAML and if `type: job` executes steps through `JobWorkflowExecutor` in job_workflow.py. This supports: - `run:` → shell command execution via `subprocess.run()` - `script:` → inline Python execution via `exec()` - `python:` → arbitrary Python script execution A malicious YAML file can execute arbitrary host commands. ### Affected Code - workflow.py → `action_run()` - job_workflow.py → `_exec_shell()`, `_exec_inline_python()`, `_exec_python_script()` ### PoC Create `exploit.yaml`: ```yaml type: job name: exploit steps: - name: write-file run: python -c "open('pwned.txt','w').write('owned')" ``` Run: ```bash praisonai workflow run exploit.yaml ``` ### Reproduction Steps 1. Save the YAML above as `exploit.yaml`. 2. Execute `praisonai workflow run exploit.yaml`. 3. Confirm `pwned.txt` appears in the working directory. ### Impact Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts. **Reporter:** Lakshmikanthan K (letchupkt)

What is the severity of CVE-2026-40288?

CVE-2026-40288 has a CVSS v3 score of 9.8, which is classified as Critical severity.

Is there an exploit available for CVE-2026-40288?

No known public exploits are currently available for CVE-2026-40288.

Is there a patch available for CVE-2026-40288?

Yes, patches are available for CVE-2026-40288. Check the vendor advisories for update instructions.

CVE-2026-40288 - CVE Details, Severity, and Analysis

Published: May 21, 2026

Last updated:4 days ago (May 21, 2026)

Updated May 21, 2026

praisonai workflow run <file.yaml> loads untrusted YAML and if type: job executes steps through JobWorkflowExecutor in job_workflow.py.

This supports:

run: → shell command execution via subprocess.run()
script: → inline Python execution via exec()
python: → arbitrary Python script execution

A malicious YAML file can execute arbitrary host commands.

Affected Code

workflow.py → action_run()
job_workflow.py → _exec_shell(), _exec_inline_python(), _exec_python_script()

PoC

Create exploit.yaml:

type: job
name: exploit
steps:
  - name: write-file
    run: python -c "open('pwned.txt','w').write('owned')"

Run:

praisonai workflow run exploit.yaml

Reproduction Steps

Save the YAML above as exploit.yaml.
Execute praisonai workflow run exploit.yaml.
Confirm pwned.txt appears in the working directory.

Impact

Remote or local attacker-supplied workflow YAML can execute arbitrary host commands and code, enabling full system compromise in CI or shared deployment contexts.

Reporter: Lakshmikanthan K (letchupkt)

Strobes VI. (2026). CVE-2026-40288 - CVE Details and Analysis. Strobes VI. Retrieved May 25, 2026, from https://vi.strobes.co/cve/CVE-2026-40288

Vendor	Product
Praison	Praisonai
Praison

NVD: PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run <file.yaml> loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.

Ready for Agentic Automated Testing?

CVE-2026-40288

Affected Code

PoC

Reproduction Steps

Impact