CVE-2026-40111: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in MervinPraison PraisonAIAgents
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
AI Analysis
Technical Summary
PraisonAIAgents before version 1.5.128 contains an OS command injection vulnerability (CWE-78) due to improper neutralization of special elements in user-controlled command strings passed to subprocess.run() with shell=True. The memory hooks executor executes these commands without sanitization, allowing shell metacharacters to be interpreted by /bin/sh. Two independent attack vectors exist: one via hook event types registered through configuration, and a more severe one via the .praisonai/hooks.json lifecycle configuration file, which can be overwritten by an agent with file-write access through prompt injection. This allows silent execution of arbitrary commands at lifecycle events without further user interaction. The vulnerability is resolved in version 1.5.128.
Potential Impact
An attacker with limited privileges (local access with low privileges) can exploit this vulnerability to execute arbitrary OS commands with the privileges of the PraisonAIAgents process. The vulnerability allows silent and persistent command execution through lifecycle hooks, potentially leading to full system compromise or unauthorized actions. The CVSS 4.0 score is 9.3 (critical), reflecting high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed. Since no official patch advisory is provided, users should verify the version in use and apply the update promptly. Until upgraded, restrict file-write access to the .praisonai/hooks.json file and avoid registering untrusted hooks. Patch status is not explicitly confirmed beyond the version fix; check vendor sources for any additional guidance.
CVE-2026-40111: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in MervinPraison PraisonAIAgents
Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a user-controlled command string directly to subprocess.run() with shell=True at src/praisonai-agents/praisonaiagents/memory/hooks.py. No sanitization is performed and shell metacharacters are interpreted by /bin/sh before the intended command executes. Two independent attack surfaces exist. The first is via pre_run_command and post_run_command hook event types registered through the hooks configuration. The second and more severe surface is the .praisonai/hooks.json lifecycle configuration, where hooks registered for events such as BEFORE_TOOL and AFTER_TOOL fire automatically during agent operation. An agent that gains file-write access through prompt injection can overwrite .praisonai/hooks.json and have its payload execute silently at every subsequent lifecycle event without further user interaction. This vulnerability is fixed in 1.5.128.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAIAgents before version 1.5.128 contains an OS command injection vulnerability (CWE-78) due to improper neutralization of special elements in user-controlled command strings passed to subprocess.run() with shell=True. The memory hooks executor executes these commands without sanitization, allowing shell metacharacters to be interpreted by /bin/sh. Two independent attack vectors exist: one via hook event types registered through configuration, and a more severe one via the .praisonai/hooks.json lifecycle configuration file, which can be overwritten by an agent with file-write access through prompt injection. This allows silent execution of arbitrary commands at lifecycle events without further user interaction. The vulnerability is resolved in version 1.5.128.
Potential Impact
An attacker with limited privileges (local access with low privileges) can exploit this vulnerability to execute arbitrary OS commands with the privileges of the PraisonAIAgents process. The vulnerability allows silent and persistent command execution through lifecycle hooks, potentially leading to full system compromise or unauthorized actions. The CVSS 4.0 score is 9.3 (critical), reflecting high impact on confidentiality, integrity, and availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Upgrade PraisonAIAgents to version 1.5.128 or later, where this vulnerability is fixed. Since no official patch advisory is provided, users should verify the version in use and apply the update promptly. Until upgraded, restrict file-write access to the .praisonai/hooks.json file and avoid registering untrusted hooks. Patch status is not explicitly confirmed beyond the version fix; check vendor sources for any additional guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-09T01:41:38.536Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d843751cc7ad14da3fb55c
Added to database: 4/10/2026, 12:25:25 AM
Last enriched: 4/10/2026, 12:50:45 AM
Last updated: 4/10/2026, 7:24:25 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.