CVE-2026-40154
published 2026-04-09CVE-2026-40154: PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity…
PriorityP349critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.30%
22.0th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates. This vulnerability is fixed in 4.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 0 < 4.5.128 | 4.5.128 |
| praison | praisonai | < 4.5.128 | 4.5.128 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
MervinPraison PraisonAI up to 4.5.127 inclusion of functionality from untrusted control sphere (GHSA-pv9q-275h-rh7x)
vuldb·2026-04-10·CVSS 9.3
CVE-2026-40154 [CRITICAL] MervinPraison PraisonAI up to 4.5.127 inclusion of functionality from untrusted control sphere (GHSA-pv9q-275h-rh7x)
A vulnerability described as critical has been identified in MervinPraison PraisonAI up to 4.5.127. This affects an unknown function. The manipulation results in inclusion of functionality from untrusted control sphere.
This vulnerability is known as CVE-2026-40154. It is possible to launch the attack remotely. No exploit is available.
Upgrading the affected component is recommended.
GHSA
PraisonAI Vulnerable Untrusted Remote Template Code Execution
ghsa·2026-04-10
CVE-2026-40154 [CRITICAL] CWE-829 PraisonAI Vulnerable Untrusted Remote Template Code Execution
PraisonAI Vulnerable Untrusted Remote Template Code Execution
PraisonAI treats remotely fetched template files as trusted executable code without integrity verification, origin validation, or user confirmation, enabling supply chain attacks through malicious templates.
---
## Description
When a user installs a template from a remote source (e.g., GitHub), PraisonAI downloads Python files (including `tools.py`) to a local cache without:
1. Code signing verification
2. Integrity checksum validation
3. Dangerous code pattern scanning
4. User confirmation before execution
When the template is subsequently used, the cached `tools.py` is automatically loaded and executed via `exec_module()`, granting the template's code full access to the user's environment, filesystem, and network.
---
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published