CVE-2026-40313 affects PraisonAI, a multi-agent teams system, due to insecure GitHub Actions workflow configurations in versions prior to 4.5.140. The workflows use actions/checkout without setting persist-credentials: false, causing the GITHUB_TOKEN and sometimes ACTIONS_RUNTIME_TOKEN to be saved in the .git/config file. When subsequent workflow steps upload artifacts, these tokens may be included and exposed to any user with read access to the public repository. This exposure allows attackers to push malicious code, poison releases and package repositories, steal secrets, and perform full supply chain compromises. The issue spans multiple workflow and action files and has been addressed in version 4.5.140.

The vulnerability allows unauthorized users with read access to the public PraisonAI repository to obtain sensitive GitHub tokens from workflow artifacts. This can lead to malicious code injection, poisoning of releases and package repositories (PyPI/Docker), theft of repository secrets, and a full supply chain compromise affecting all downstream users. The CVSS score of 9.1 reflects a critical impact with high confidentiality and integrity consequences but no direct availability impact.

Upgrade PraisonAI to version 4.5.140 or later, where this issue has been fixed by properly configuring GitHub Actions workflows to prevent credential leakage. Specifically, workflows should set persist-credentials: false in actions/checkout steps to avoid persisting tokens in .git/config. Since this is a repository configuration issue, patching the workflows is the recommended remediation. Patch status is not explicitly stated as 'official-fix' but the issue is fixed in version 4.5.140, so upgrading is the effective fix.