CVE-2026-40153
published 2026-04-09CVE-2026-40153: PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command…
PriorityP338medium6.5CVSS 3.1
AVNACLPRNUIRSUCHINAN
EPSS
0.27%
18.9th percentile
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonaiagents | < 1.5.128 | 1.5.128 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.128 | 1.5.128 |
| praison | praisonaiagents | < 1.5.128 | 1.5.128 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
ghsa·2026-04-10
CVE-2026-40153 [HIGH] CWE-526 PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
PraisonAIAgents: Environment Variable Secret Exfiltration via os.path.expandvars() Bypassing shell=False in Shell Tool
## Summary
The `execute_command` function in `shell_tools.py` calls `os.path.expandvars()` on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using `shell=False` (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the **unexpanded** `$VAR` references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes.
## Details
The vulnerable code is in `src/praisonai-agents/praisonaiagents/tools/shell_tools.py`:
```python
# Line 60: comman
VulDB
MervinPraison PraisonAIAgents up to 1.5.127 shell_tools.py os.path.expandvars exposure of sensitive information through environmental variables (GHSA-v8g7-9q6v-p3x8)
vuldb·2026-04-10·CVSS 7.4
CVE-2026-40153 [HIGH] MervinPraison PraisonAIAgents up to 1.5.127 shell_tools.py os.path.expandvars exposure of sensitive information through environmental variables (GHSA-v8g7-9q6v-p3x8)
A vulnerability was found in MervinPraison PraisonAIAgents up to 1.5.127. It has been rated as problematic. This impacts the function os.path.expandvars of the file shell_tools.py. The manipulation leads to exposure of sensitive information through environmental variables.
This vulnerability is listed as CVE-2026-40153. The attack may be initiated remotely. There is no available exploit.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published