RAXE-2026-060 CRITICAL CVSS 9.6 v3.1 S2

PraisonAI Post-Cluster Wave: execute_command OS Command Injection + Multi-Backend SQL Injection Incomplete-Fix (CVE-2026-40088, CVE-2026-40315)

Agent Security 2026-04-23 M. Hirani TLP:GREEN
CVE-2026-40088 CVE-2026-40315

At a glance

  • The issue: Three more PraisonAI vulnerabilities, a month after the earlier nine-CVE cluster: an OS command-injection through execute_command(), plus a SQL-injection in the conversation store that the first two patches did not fully fix.
  • Who's affected: Any deployment of praisonai or praisonaiagents from PyPI before the latest fix release.
  • What to do now: Upgrade praisonai to 4.5.149 and praisonaiagents to 1.6.8 together — the only combination that closes all three issues.

Executive Summary

A three-advisory post-cluster wave landed against MervinPraison's PraisonAI multi-agent framework on PyPI between 2026-04-09 and 2026-04-17, a month after RAXE's earlier nine-CVE cluster publication against the same codebase. (a) CVE-2026-40088 (GHSA-2763-cj5r-c79m): execute_command() in code/tools/execute_command.py passes user-controlled strings into subprocess.run(shell=True), enabling OS command injection via shell metacharacters reachable from agent workflows, YAML step definitions, agent configuration files, and LLM-generated tool-call parameters (GHSA-2763-cj5r-c79m; NVD). NVD CVSS 3.1 Primary is 9.6 CRITICAL, CWE-78 (Primary from the GitHub CNA, adopted by NVD). Fixed in praisonai 4.5.121. (b) CVE-2026-40315: SQLiteConversationStore concatenates the table_prefix configuration value directly into SQL identifier positions, allowing SQL identifier injection. NVD CVSS 3.1 Primary 9.8 CRITICAL, CWE-89 (Secondary from the GitHub CNA; NVD did not independently assign a Primary CWE for this CVE). Fixed in praisonai 4.5.133. (c) GHSA-rg3h-x3jw-7jm5: follow-on advisory disclosing that the 4.5.133 fix was incomplete; the same table_prefix identifier-injection pattern remained live in nine other conversation-store backend classes beyond SQLite. CNA CVSS 3.1 Secondary 8.1 HIGH, CWE-89. No CVE assigned as of 2026-04-23. Fixed in praisonai 4.5.149 and praisonaiagents 1.6.8 together (GHSA-rg3h-x3jw-7jm5; PyPI).

Risk Rating

Dimension Rating Detail
Severity Critical for 40088 and 40315; High for GHSA-rg3h NVD CVSS 3.1 Primary 9.6 CRITICAL (40088) and 9.8 CRITICAL (40315). CNA CVSS 3.1 Secondary 8.1 HIGH for GHSA-rg3h. See CVSS Divergence section.
Urgency Moderate, patch is available and auto-update-available; narrow exposure window for users who adopted partial fixes Fix releases on PyPI: 4.5.121 (closes 40088) on 2026-04-09; 4.5.133 (closes 40315) on 2026-04-14; 4.5.149 + praisonaiagents 1.6.8 (close GHSA-rg3h) on 2026-04-16. GHSA-rg3h advisory disclosure lagged the fix by one day and was published on 2026-04-17. Organisations that only reached 4.5.121 or 4.5.133 remain exposed to at least one advisory until they reach 4.5.149.
Scope praisonai <= 4.5.148 and praisonaiagents <= 1.6.7 deployments Network-reachable or configuration-addressable exposure depending on the specific advisory.
Confidence High Root cause, attack channels, and fix versions all directly attested in the GHSA records and NVD descriptions; corroborated by PyPI package availability for all three fix versions.
Business Impact Critical on affected deployments OS command injection grants RCE at the PraisonAI process privilege level (40088); SQL identifier injection grants full read/write on the conversation-store backend (40315 under NVD-3.1 AV:N/PR:N reading; GHSA-rg3h under PR:L, requires an actor able to set the table_prefix configuration value) and can pivot to multi-tenant data exposure if the store is shared.

CVSS Divergence

The most notable divergence in this cluster is on CVE-2026-40315:

  • NVD CVSS 3.1 Primary: 9.8 CRITICAL, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (network-reachable, unauthenticated)
  • NVD CVSS 4.0 Secondary (from GitHub CNA): 7.2 HIGH, vector AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N (local, low-priv required)

RAXE reads the CNA's local/low-priv framing as consistent with the typical deployment-time posture of table_prefix (set via config file or environment variable at deployment). But the draft's Attack Flow Chain B correctly notes that an LLM-influenced configuration-update path can mutate table_prefix at runtime, which is what makes the NVD AV:N reading defensible. RAXE retains the NVD 3.1 Primary as the formal reference severity per RAXE publication convention (NVD Primary outranks CNA Secondary), and the 7.2 CVSS 4.0 is the more operationally-descriptive score for defenders whose threat model excludes runtime configuration-mutation paths. Practitioners should read both together.

Affected Products

Product Affected Versions Fix Version Status
praisonai (PyPI), for CVE-2026-40088 < 4.5.121 4.5.121 Patched (vendor via GHSA)
praisonai (PyPI), for CVE-2026-40315 < 4.5.133 4.5.133 Patched (vendor via NVD)
praisonai (PyPI), for GHSA-rg3h (incomplete-fix) <= 4.5.148 4.5.149 Patched (vendor via GHSA)
praisonaiagents (PyPI), for GHSA-rg3h <= 1.6.7 1.6.8 Patched (vendor via GHSA)

To close all three advisories together: upgrade to praisonai >= 4.5.149 AND praisonaiagents >= 1.6.8. Partial upgrades to 4.5.121 or 4.5.133 leave one or two advisories exposed.

Am I affected?

  • Check versions: pip show praisonai and pip show praisonaiagents. Below the 4.5.149 / 1.6.8 floors means at least one of the three advisories applies.
  • Check workflow configuration: if the deployment runs any workflow YAML or agent-configuration file containing type: shell step target values with shell metacharacters (;, |, &&, $(), backticks), the pre-4.5.121 OS-cmd injection was reachable.
  • Check conversation-store backend: if the praisonaiagents package has been used with any non-(sync-)SQLite conversation store between 2026-04-14 and the upgrade to 4.5.149, the GHSA-rg3h SQL injection was live during that window. The nine affected backends per GHSA-rg3h are MySQL, PostgreSQL, async SQLite, async MySQL, async PostgreSQL, Turso/LibSQL, SingleStore, Supabase, and SurrealDB.

Abstract

Three separate vulnerabilities in PraisonAI's codebase were disclosed between 2026-04-09 and 2026-04-17, each with an independent fix release: CVE-2026-40088 (OS command injection via execute_command(), fixed in praisonai 4.5.121), CVE-2026-40315 (SQL identifier injection in SQLiteConversationStore, fixed in praisonai 4.5.133), and GHSA-rg3h-x3jw-7jm5 (the same SQL identifier injection pattern found across nine additional conversation-store backends, fixed in praisonai 4.5.149 + praisonaiagents 1.6.8) (GHSA-2763-cj5r-c79m; NVD CVE-2026-40088; NVD CVE-2026-40315; GHSA-rg3h-x3jw-7jm5; PyPI). The three advisories share a codebase but no other structural element: the OS command injection is the classic subprocess.run(shell=True) pattern with user-controlled input; the two SQL advisories share a different bug class, SQL identifier concatenation bypassing the protections offered by ordinary query parameterisation (identifier positions precede parameter binding). The GHSA-rg3h advisory is explicitly labelled "incomplete fix for CVE-2026-40315", making this the fourth RAXE-covered case where a vendor patch landed, was inspected, and found to cover fewer code paths than the original CVE's language implied.

Key Findings

  1. subprocess.run(shell=True) with user-controlled input remains a live pattern in agentic CLIs. CVE-2026-40088 is this pattern applied to multi-agent workflow orchestration: the user-controlled input reaches execute_command() via four distinct channels (YAML workflow step definitions, agent configuration files, LLM tool-call parameters, recipe step configurations), any of which is attacker-influenceable in normal deployment (GHSA-2763-cj5r-c79m).
  2. SQL identifier injection is a parallel class to SQL parameter injection and is not protected by parameterised queries. Because identifiers (table names, column names) are resolved by the SQL parser before parameter binding, ?-style placeholders do not apply. CVE-2026-40315 and GHSA-rg3h are both this class: the table_prefix value is concatenated into the identifier position of dynamically-constructed SQL, and no amount of parameter binding downstream of that concatenation protects the query structure (NVD; GHSA-rg3h-x3jw-7jm5).
  3. The "incomplete fix" framing is explicit and important. GHSA-rg3h's summary text names CVE-2026-40315 and states the 4.5.133 patch only covered the synchronous SQLiteConversationStore. Nine sibling backends in praisonaiagents/persistence/conversation/, MySQL, PostgreSQL, async SQLite, async MySQL, async PostgreSQL, Turso/LibSQL, SingleStore, Supabase, and SurrealDB, retained the same table_prefix → f-string-SQL pattern across 52 unvalidated injection points; postgres.py additionally exposed an unvalidated schema parameter in DDL (GHSA-rg3h-x3jw-7jm5).
  4. Velocity continues. This is the second cluster against PraisonAI in 30 days. The prior nine-CVE cluster covered sandbox bypass, authentication bypass, MCP boundary issues, and SSRF; this wave adds two more CVEs and one no-CVE GHSA covering OS command injection and cross-backend SQL injection. Twelve CVE/GHSA advisories in a month across two distinct bug classes with no overlap is a structural signal about code-review discipline, not a string of coincidences (RAXE assessment).

Attack Flow

PraisonAI deployment with praisonai <= 4.5.148 and/or
praisonaiagents <= 1.6.7. Three separable attack chains share a
target set but have different preconditions:

=== Chain A — CVE-2026-40088 (OS cmd injection) ===

  Attacker → any input channel that reaches execute_command():
      - workflow YAML step.target
      - agent config (agents.yaml) field
      - LLM tool-call parameter
      - recipe step configuration

  Attacker content:
      <anything>; <attacker-command>

  PraisonAI runtime: subprocess.run(content, shell=True)
      → shell parses ; as separator
      → attacker command executes in PraisonAI process context

  Outcome: RCE at PraisonAI process privilege level.

=== Chain B — CVE-2026-40315 (SQLite SQL identifier injection) ===

  Attacker → controls table_prefix configuration value
      (typically via config file, environment variable, or
      LLM-influenced configuration update path).

  Attacker content:
      table_prefix = evil"; DROP TABLE ...; --

  PraisonAI runtime (SQLiteConversationStore, pre-4.5.133):
      "CREATE TABLE " + table_prefix + "conversations (...)"
      → identifier-position injection executes attacker SQL

  Outcome: full read/write on the conversation store.

=== Chain C — GHSA-rg3h-x3jw-7jm5 (9-backend SQL injection) ===

  Same as Chain B, but applies to nine additional backend classes
  in praisonaiagents (all non-SQLite conversation stores). Active
  through praisonai 4.5.148 / praisonaiagents 1.6.7.

  Defenders who upgraded to 4.5.133 in response to CVE-2026-40315
  had Chain B closed but Chain C still open.

Technical Details

CVE-2026-40088, execute_command() OS command injection

execute_command() is located at code/tools/execute_command.py (the GHSA advisory cites lines 155-164). The function calls subprocess.run() with shell=True and uses a user-controlled string as the command argument; shell metacharacters are therefore interpreted by the shell (GHSA-2763-cj5r-c79m).

User-controlled channels that reach execute_command() (per the advisory): YAML workflow step definitions, agent configuration files (agents.yaml), LLM-generated tool-call parameters, and recipe step configurations. Each is an untrusted-input surface in normal multi-agent deployment, YAML in a contributed recipe or an LLM-emitted tool call is implicitly attacker-influenceable (RAXE assessment, based on the advisory's enumeration).

CVSS and severity: NVD Primary CVSS 3.1 9.6 CRITICAL, vector AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. GitHub's public advisory UI/API currently displays 9.7 for the same vector; the practical severity remains Critical. CWE-78 is recorded from the GitHub CNA and adopted by NVD as the authoritative weakness mapping for this CVE.

Fix: praisonai 4.5.121, available on PyPI 2026-04-09. Mitigation guidance from the advisory includes disabling shell=True, passing commands as argument lists, allowlisting permitted commands, and rejecting shell-metacharacter inputs (GHSA-2763-cj5r-c79m).

CVE-2026-40315, SQLiteConversationStore SQL identifier injection

Prior to praisonai 4.5.133, SQLiteConversationStore concatenated the table_prefix configuration value directly into SQL identifier positions (e.g. CREATE TABLE <prefix>conversations (…)) (NVD CVE-2026-40315). An attacker controlling table_prefix could inject SQL identifiers that break the intended query structure. Standard query parameterisation does not protect identifier positions, ?-style placeholders apply to value positions only, and the identifier is resolved before parameter binding.

CVSS and severity: NVD Primary CVSS 3.1 9.8 CRITICAL, vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. NVD Secondary CVSS 4.0 is 7.2 HIGH, vector AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N, see the CVSS Divergence section for the reading. CWE-89 recorded as Secondary from the GitHub CNA; NVD did not independently assign a Primary CWE for this CVE as of 2026-04-23.

Fix: praisonai 4.5.133.

GHSA-rg3h-x3jw-7jm5, incomplete-fix extension to nine backends

The 4.5.133 patch for CVE-2026-40315 addressed only the synchronous SQLiteConversationStore. The same table_prefix → f-string-SQL pattern existed in nine sibling conversation-store classes in praisonaiagents/persistence/conversation/ (GHSA-rg3h-x3jw-7jm5). The advisory summary uses the phrase "9 conversation store backends" verbatim, and the advisory body enumerates MySQL, PostgreSQL, async SQLite, async MySQL, async PostgreSQL, Turso/LibSQL, SingleStore, Supabase, and SurrealDB, with 52 total injection points called out across the nine backends, and postgres.py additionally exposing an unvalidated schema parameter used directly in DDL. Any deployment using one of those nine backends remained vulnerable from the original 40315 disclosure through the 4.5.148 version.

CVSS: GitHub CNA Secondary CVSS 3.1 8.1 HIGH, vector AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. No CVSS 4.0 in the GHSA record. CWE-89. No CVE assigned as of 2026-04-23 (GitHub Advisory API cve_id: None).

Fix: praisonai 4.5.149 and praisonaiagents 1.6.8 together, both packages must be upgraded because the vulnerable backend classes live in praisonaiagents (GHSA-rg3h-x3jw-7jm5).

Exposure windows

Window Exposure
before 2026-04-09 (pre-4.5.121) all three vulnerabilities live
2026-04-09 → 2026-04-14 (4.5.121 ≤ v < 4.5.133) 40315 + GHSA-rg3h live (40088 closed)
2026-04-14 → 2026-04-16 (4.5.133 ≤ v < 4.5.149) GHSA-rg3h live (40088 + 40315 on SQLite closed)
2026-04-16 onwards (v >= 4.5.149 + praisonaiagents >= 1.6.8) all three closed (GHSA-rg3h advisory disclosure followed on 2026-04-17)

The 2026-04-14 → 2026-04-16 window is the "incomplete fix" gap, defenders who responded to CVE-2026-40315 with a 4.5.133 upgrade retained the cross-backend SQL injection for two days before praisonai 4.5.149 + praisonaiagents 1.6.8 shipped. The GHSA-rg3h advisory that documented the incomplete fix was published one day after the fix itself landed on PyPI.

Confidence & Validation

Assessment Confidence: High

Aspect Status Detail
Vendor advisory Confirmed × 2 GHSA-2763-cj5r-c79m (40088); GHSA-rg3h-x3jw-7jm5 (incomplete fix)
CVE assigned 2 of 3 CVE-2026-40088 and CVE-2026-40315 both NVD-Analyzed; GHSA-rg3h has no CVE assigned as of 2026-04-23
PoC available Concept-level Advisory describes YAML injection pattern for 40088; SQL identifier injection primitive for 40315 / GHSA-rg3h is standard once table_prefix control is established
Patch available Confirmed for all three PyPI verified: praisonai 4.5.121, 4.5.133, 4.5.149; praisonaiagents 1.6.8
Exploited in wild Not observed by RAXE No KEV listing; no vendor statement of in-wild exploitation

Detection Signatures

Full Sigma rules in the finding directory as detection/praisonai-post-cluster-wave.yml:

  • PraisonAI Workflow YAML Contains Shell Metacharacters in Shell-Type Step (CVE-2026-40088), file-content scan on workflow YAML for type: shell steps whose target contains shell metacharacters. Deploy as CI pre-commit hook, file-integrity scanner, or YAML-linter plugin.
  • PraisonAI Runtime Spawns Shell With Injected Metacharacters (CVE-2026-40088), process-creation rule for PraisonAI Python runtime spawning shell children whose command-line contains metacharacter injection patterns.
  • PraisonAI Conversation Store Query Contains Suspicious table_prefix Identifier (CVE-2026-40315 / GHSA-rg3h-x3jw-7jm5), application-layer rule (requires custom query-logging instrumentation) flagging SQL queries whose identifier positions contain characters outside the normal identifier charset.

Detection & Mitigation

Priority 1, upgrade. Reach praisonai >= 4.5.149 and praisonaiagents >= 1.6.8 together. Partial upgrades leave one or two advisories exposed.

Priority 2, inventory non-SQLite conversation-store backends. These were the exposure population for GHSA-rg3h through 2026-04-17; retrospective query-log review is the highest-fidelity way to detect past exploitation attempts.

Priority 3, audit workflow YAML history. Check version-control history for any workflow YAML containing type: shell steps with metacharacters in target. Pre-4.5.121 deployments that executed such YAML are potential past-exploitation candidates.

Priority 4, deploy the Sigma content referenced above. The YAML scanner is the most readily-deployable; the SQL-identifier rule requires query-text instrumentation that is not PraisonAI-native and must be added site-specifically.

Priority 5, rotate credentials accessible to pre-upgrade PraisonAI processes. On deployments that ran <= 4.5.120 with external-input-reachable workflows, any credential the PraisonAI process could read may have been exposed via the OS-cmd-injection primitive (RAXE assessment).

Indicators of Compromise

Type Indicator Context
File-content PraisonAI workflow YAML with type: shell step whose target contains shell metacharacters Pre-exploit primitive for CVE-2026-40088 (GHSA-2763-cj5r-c79m)
Process-event PraisonAI Python runtime spawning shell child with metacharacter-bearing command line Exploitation-in-progress for CVE-2026-40088
SQL query Conversation-store SQL containing identifier-position characters outside the normal identifier charset (ASCII letters, digits, underscore) plus the backend's legitimate quote character Exploitation-in-progress for CVE-2026-40315 or GHSA-rg3h-x3jw-7jm5
Configuration change table_prefix configuration value containing quote, semicolon, or parenthesis characters Pre-exploit primitive for CVE-2026-40315 / GHSA-rg3h

No file-hash or network-indicator IoCs are available; all three primitives are structural (RAXE assessment).

Strategic Context

This is the second PraisonAI cluster RAXE has covered in 30 days. The prior nine-CVE cluster closed sandbox-bypass and MCP-boundary issues; this wave's three advisories (two CVEs plus one no-CVE GHSA) close OS command injection and cross-backend SQL injection. The two clusters share a codebase but no other structural element, which is itself a signal. When a codebase produces twelve CVE/GHSA advisories in a month across two disjoint bug classes without overlap, it tells you more about the code-review discipline behind the codebase than about the specific bug classes individually (RAXE assessment).

Three patterns worth naming for forward-looking work:

  1. Agentic framework velocity vs. security-review discipline. PraisonAI is not unique in this pattern, similar signals appear against Flowise (three advisories in five days, RAXE coverage continues), PraisonAI itself (two clusters in 30 days, this finding is the second), and to a lesser degree across LangChain, smolagents, and CrewAI over the past six months. The framework category is in a discovery-rich phase where external researchers are finding bugs faster than internal review would have caught them.
  2. Incomplete-fix patterns as a defender-facing class. GHSA-rg3h is the fourth RAXE-covered case of a vendor fix landing, being inspected, and found to cover fewer code paths than the original CVE implied. The lesson is that a CVE-associated patch is not the same as the vulnerability being closed across the codebase; defenders should treat CVE patches as partial evidence of remediation, not proof.
  3. SQL identifier injection as a parallel class. Organisations that trust query parameterisation to cover "SQL injection" as a category must be reminded that identifier positions, table names, column names, table_prefix-style templating, are resolved before parameter binding, and require a separate identifier-quoting or allowlisting control. The same pattern exists in ORMs that expose raw-SQL-style identifier templating.

For enterprise defenders, the practical posture is: run PraisonAI if the product case requires it, but inventory it as a rapid-release platform where patch-adoption lag of weeks becomes a real vulnerability window, not a theoretical one.

References

  1. GHSA-2763-cj5r-c79m, PraisonAI execute_command OS command injection (CVE-2026-40088), https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-2763-cj5r-c79m (accessed 2026-04-23; GitHub-published 2026-04-08T21:52:10Z; NVD-published 2026-04-09; credited in the advisory description to Lakshmikanthan K / letchupkt).
  2. NVD, CVE-2026-40088, https://nvd.nist.gov/vuln/detail/CVE-2026-40088 (accessed 2026-04-23; status Analyzed; CVSS 3.1 Primary 9.6 CRITICAL; CWE-78 Primary from GitHub CNA adopted by NVD).
  3. NVD, CVE-2026-40315, https://nvd.nist.gov/vuln/detail/CVE-2026-40315 (accessed 2026-04-23; status Analyzed; CVSS 3.1 Primary 9.8 CRITICAL; CNA CVSS 4.0 Secondary 7.2 HIGH; CWE-89 Secondary from GitHub CNA).
  4. GHSA-rg3h-x3jw-7jm5, PraisonAI SQL injection across nine conversation-store backends (incomplete fix for CVE-2026-40315), https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5 (accessed 2026-04-23; published 2026-04-17; CVSS 3.1 Secondary 8.1 HIGH; CWE-89; no CVE assigned).
  5. PyPI, praisonai 4.5.149, https://pypi.org/project/praisonai/4.5.149/ (verified present 2026-04-23).
  6. PyPI, praisonaiagents 1.6.8, https://pypi.org/project/praisonaiagents/1.6.8/ (verified present 2026-04-23).
  7. FIRST.org EPSS, CVE-2026-40088, https://api.first.org/data/v1/epss?cve=CVE-2026-40088 (0.00054, 16.9th percentile, 2026-04-23).
  8. FIRST.org EPSS, CVE-2026-40315, https://api.first.org/data/v1/epss?cve=CVE-2026-40315 (0.00038, 11.6th percentile, 2026-04-23).