CVE-2026-40313: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in MervinPraison PraisonAI
PraisonAI versions 4. 5. 139 and below contain a critical vulnerability in their GitHub Actions workflows related to credential leakage. The issue arises from using actions/checkout without setting persist-credentials: false, causing sensitive tokens like GITHUB_TOKEN to be written into . git/config and potentially included in uploaded artifacts. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract tokens, enabling malicious code pushes, supply chain compromise, and theft of repository secrets. This vulnerability has been fixed in version 4. 5. 140.
AI Analysis
Technical Summary
PraisonAI (versions ≤ 4.5.139) uses GitHub Actions workflows that improperly handle credentials by not disabling persistence of GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN during checkout. This results in these tokens being stored in .git/config and possibly included in artifacts uploaded during workflow execution. Because PraisonAI is a public repository, any user with read access can download these artifacts and extract the tokens, potentially allowing attackers to push malicious code, poison releases and package repositories, steal secrets, and perform supply chain attacks. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The issue affects multiple workflow and action files and was resolved in version 4.5.140.
Potential Impact
The vulnerability allows unauthorized users with read access to the public PraisonAI repository to obtain sensitive GitHub tokens from workflow artifacts. These tokens can be used to push malicious code, compromise releases, poison package repositories such as PyPI and Docker, steal repository secrets, and execute full supply chain compromises impacting all downstream users. The CVSS score of 9.1 reflects a critical impact with high confidentiality and integrity consequences but no availability impact.
Mitigation Recommendations
This vulnerability has been fixed in PraisonAI version 4.5.140. Users should upgrade to version 4.5.140 or later to remediate the issue. The fix involves setting persist-credentials: false in actions/checkout to prevent token leakage. Since no official remediation level or patch link is provided, users should verify the upgrade and review their workflows to ensure tokens are not persisted or leaked in artifacts.
CVE-2026-40313: CWE-829: Inclusion of Functionality from Untrusted Control Sphere in MervinPraison PraisonAI
Description
PraisonAI versions 4. 5. 139 and below contain a critical vulnerability in their GitHub Actions workflows related to credential leakage. The issue arises from using actions/checkout without setting persist-credentials: false, causing sensitive tokens like GITHUB_TOKEN to be written into . git/config and potentially included in uploaded artifacts. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract tokens, enabling malicious code pushes, supply chain compromise, and theft of repository secrets. This vulnerability has been fixed in version 4. 5. 140.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAI (versions ≤ 4.5.139) uses GitHub Actions workflows that improperly handle credentials by not disabling persistence of GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN during checkout. This results in these tokens being stored in .git/config and possibly included in artifacts uploaded during workflow execution. Because PraisonAI is a public repository, any user with read access can download these artifacts and extract the tokens, potentially allowing attackers to push malicious code, poison releases and package repositories, steal secrets, and perform supply chain attacks. The vulnerability is classified under CWE-829 (Inclusion of Functionality from Untrusted Control Sphere). The issue affects multiple workflow and action files and was resolved in version 4.5.140.
Potential Impact
The vulnerability allows unauthorized users with read access to the public PraisonAI repository to obtain sensitive GitHub tokens from workflow artifacts. These tokens can be used to push malicious code, compromise releases, poison package repositories such as PyPI and Docker, steal repository secrets, and execute full supply chain compromises impacting all downstream users. The CVSS score of 9.1 reflects a critical impact with high confidentiality and integrity consequences but no availability impact.
Mitigation Recommendations
This vulnerability has been fixed in PraisonAI version 4.5.140. Users should upgrade to version 4.5.140 or later to remediate the issue. The fix involves setting persist-credentials: false in actions/checkout to prevent token leakage. Since no official remediation level or patch link is provided, users should verify the upgrade and review their workflows to ensure tokens are not persisted or leaked in artifacts.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T21:41:54.505Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ddbc3182d89c981fc24dd5
Added to database: 4/14/2026, 4:01:53 AM
Last enriched: 4/14/2026, 4:16:56 AM
Last updated: 4/14/2026, 6:31:30 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.