CVE-2026-40113

CVE-2026-40113 is a high-severity security vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128.

Summary

Summary

deploy.py constructs a single comma-delimited string for the gcloud run
deploy --set-env-vars argument by directly interpolating openai_model,
openai_key, and openai_base without validating that these values do not
contain commas. gcloud uses a comma as the key-value pair separator for
--set-env-vars. A comma in any of the three values causes gcloud to
parse the trailing text as additional KEY=VALUE definitions, injecting
arbitrary environment variables into the deployed Cloud Run service.

Grep Commands and Evidence

Step 1. Confirm the vulnerable string construction at line 150

    grep -n "set-env-vars\|openai_key\|openai_base\|openai_model" \
      src/praisonai/praisonai/deploy.py
Expected output showing unsanitized interpolation:
150:  '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'

Step 2. Confirm no comma validation exists before this line

    grep -n "comma\|assertNotIn\|ValueError\|sanitize\|strip\|replace" \
      src/praisonai/praisonai/deploy.py
Expected output: no results related to input validation

Step 3. View the full context of the vulnerable construction

    sed -n '140,165p' \
      src/praisonai/praisonai/deploy.py
This block shows the gcloud command list where the three values are
joined into one comma-separated string passed as a single argument
element. gcloud receives this string and applies its own
comma-based parsing, which the subprocess list form cannot prevent.

Step 4. Confirm subprocess is called without shell=True

    grep -n "subprocess\|Popen\|shell=" \
      src/praisonai/praisonai/deploy.py
This confirms shell=False (default), meaning the injection is at the
gcloud argument level, not the shell level. The comma delimiter is
parsed by gcloud itself, not by /bin/sh.

Step 5. Confirm no existing advisory covers this file

    grep -rn "deploy.py\|set.env.vars\|openai_base" \
      src/praisonai/praisonai/deploy.py

Vulnerability Description

File:
src/praisonai/praisonai/deploy.py

Vulnerable line:

  150: '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'

The three values openai_model, openai_key, and openai_base originate
from environment variables or user-provided configuration and are
interpolated directly into a single f-string without validation.

The subprocess call uses a Python list without shell=True. This means
there is no shell injection. The subprocess module passes the f-string
as one complete argument to gcloud. gcloud then applies its own internal
parsing to the value of --set-env-vars using a comma as the delimiter.
This parsing is entirely outside Python's control.

If any of the three values contains a comma, gcloud splits on that comma
and creates an additional KEY=VALUE environment variable from the text
following it. There is no error or warning from gcloud when this occurs.

The three values are attacker-controllable in any scenario where
environment variables can be set before the deploy command runs. This
includes compromised dotenv files, poisoned CI pipeline secrets, and
local developer machines where an attacker has shell access.

Proof of Concept

 attacker-controlled openai_base value:

    export OPENAI_API_KEY="sk-legitimate-key"
    export OPENAI_MODEL_NAME="gpt-4"
    export OPENAI_API_BASE="https://api.openai.com/v1,INJECTED=attacker_value"

Run the deploy command. The string constructed at line 150 becomes:

    OPENAI_MODEL_NAME=gpt-4,OPENAI_API_KEY=sk-legitimate-key,OPENAI_API_BASE=https://api.openai.com/v1,INJECTED=attacker_value

gcloud parses this as four key-value pairs and creates all four as
environment variables in the Cloud Run service. INJECTED=attacker_value
is a real environment variable available to every request the service
handles.

Verify the injection after deployment:

    gcloud run services describe praisonai-service \
      --region us-central1 \
      --format "value(spec.template.spec.containers[0].env)"

The output includes INJECTED alongside the three legitimate variables.

API key override:

export OPENAI_API_KEY="sk-real,OPENAI_API_KEY=sk-attacker"

The constructed string contains OPENAI_API_KEY twice. In gcloud versions
where the last-defined value takes precedence, the deployed service uses
sk-attacker for all LLM API calls. All agent traffic routes through the
attacker-controlled API account.

Impact

An attacker who can influence any of the three environment variables
before deploy.py runs can inject arbitrary environment variables into
the deployed Cloud Run production service without triggering any error.

Injection scenarios include a malicious git hook that modifies a dotenv
file before deployment, a compromised CI pipeline secret, or any local
access that allows setting environment variables in the deploy shell
session.

Consequences include overriding the API key used by the production
service, injecting proxy settings that redirect all outbound LLM traffic,
setting debug or verbose flags that write sensitive data to Cloud Run
logs, and overriding any security-relevant variable the service reads
from its environment.

The API key override scenario is the highest-impact case. All production
LLM calls made by the deployed service are billed to and logged by the
attacker's API account, giving the attacker full visibility into every
agent prompt and response processed in production.

Recommended Fix

Pass each variable as a separate --update-env-vars flag so each value
is an isolated argument and gcloud never performs comma-based parsing
across multiple values:

Before:
  ['gcloud', 'run', 'deploy', 'praisonai-service',
   '--set-env-vars',
   f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}']

After:
  ['gcloud', 'run', 'deploy', 'praisonai-service',
   '--update-env-vars', f'OPENAI_MODEL_NAME={openai_model}',
   '--update-env-vars', f'OPENAI_API_KEY={openai_key}',
   '--update-env-vars', f'OPENAI_API_BASE={openai_base}']

Each --update-env-vars element is a separate string in the subprocess
list. The subprocess module passes each as a distinct argument to
gcloud. gcloud receives three separate single-variable assignments and
performs no cross-argument comma parsing.

Add pre-flight validation as a secondary control:

for label, value in [
    ("OPENAI_MODEL_NAME", openai_model),
    ("OPENAI_API_KEY", openai_key),
    ("OPENAI_API_BASE", openai_base),
]:
    if "," in value:
        raise ValueError(
            f"{label} contains a comma and would corrupt "
            f"--set-env-vars: {value!r}"
        )

References

CWE-88 Improper Neutralization of Argument Delimiters in a Command
gcloud run deploy documentation for --set-env-vars KEY=VALUE comma
delimiter specification

Impact

CVE-2026-40113 has a CVSS score of 8.4 (High). The vector is requires local access, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.128); upgrading removes the vulnerable code path.

Affected versions

PraisonAI (< 4.5.128)

Security releases

PraisonAI → 4.5.128 (pip)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

Upgrade PraisonAI to 4.5.128 or later to resolve this vulnerability.

Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.

Frequently Asked Questions

  1. What is CVE-2026-40113? CVE-2026-40113 is a high-severity security vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128.
  2. How severe is CVE-2026-40113? CVE-2026-40113 has a CVSS score of 8.4 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of PraisonAI are affected by CVE-2026-40113? PraisonAI (pip) versions < 4.5.128 is affected.
  4. Is there a fix for CVE-2026-40113? Yes. CVE-2026-40113 is fixed in 4.5.128. Upgrade to this version or later.
  5. Is CVE-2026-40113 exploitable, and should I be worried? Whether CVE-2026-40113 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-40113 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-40113? Upgrade PraisonAI to 4.5.128 or later.

Other vulnerabilities in PraisonAI

Stop the waste.
Protect your environment with Kodem.