The vulnerability in PraisonAI affects the workflow engine's handling of YAML files with type: job. Specifically, the JobWorkflowExecutor processes steps that execute shell commands (via subprocess.run()), inline Python code (via exec()), and arbitrary Python scripts without any input validation, sandboxing, or user confirmation. The affected functions include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker able to supply or influence these YAML workflow files—such as in CI pipelines, shared repositories, or multi-tenant environments—can achieve arbitrary command execution on the host system. This vulnerability is tracked as CVE-2026-40288 and has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The issue is resolved in PraisonAI version 4.5.139 and praisonaiagents version 1.5.140.

Successful exploitation allows an unauthenticated attacker who can supply or influence a workflow YAML file to execute arbitrary shell commands and Python code on the host system. This leads to full system compromise, including confidentiality, integrity, and availability impacts. The attacker can access or modify data, credentials, and potentially control the entire affected host.

A fixed version is available: upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later. These versions address the vulnerability by implementing necessary validation and sandboxing. Until upgrading, restrict access to workflow YAML files and avoid running untrusted workflows. Patch status is confirmed by the vendor advisory indicating the fix in the specified versions.