CVE-2026-40111
published 2026-04-09CVE-2026-40111: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly…
PriorityP350high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.23%
13.6th percentile
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonaiagents | < 1.5.128 | 1.5.128 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.128 | 1.5.128 |
| praison | praisonaiagents | < 1.5.128 | 1.5.128 |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAIAgents up to 1.5.127 Configuration hooks.py subprocess.run os command injection (GHSA-v7px-3835-7gjx)
vuldb·2026-04-10·CVSS 9.3
CVE-2026-40111 [CRITICAL] MervinPraison PraisonAIAgents up to 1.5.127 Configuration hooks.py subprocess.run os command injection (GHSA-v7px-3835-7gjx)
A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127 and classified as critical. This vulnerability affects the function subprocess.run of the file src/praisonai-agents/praisonaiagents/memory/hooks.py of the component Configuration Handler. The manipulation results in os command injection.
This vulnerability is identified as CVE-2026-40111. The attack is only possible with local access. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
ghsa·2026-04-10
CVE-2026-40111 [CRITICAL] CWE-78 PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
PraisonAIAgents has an OS Command Injection via shell=True in Memory Hooks Executor (memory/hooks.py)
Summary
The memory hooks executor in praisonaiagents passes a user-controlled command string
directly to subprocess.run() with shell=True at
src/praisonai-agents/praisonaiagents/memory/hooks.py lines 303 to 305.
No sanitization, no shlex.quote(), no character filter, and no allowlist check
exists anywhere in this file. Shell metacharacters including semicolons, pipes,
ampersands, backticks, dollar-sign substitutions, and newlines are interpreted by
/bin/sh before the intended command executes.
Two independent attack surfaces exist. The first is via pre_run_command and
post_run_command hook event types registered through the hooks configuration.
The second and more severe surface is the
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published