{"data":{"id":"c1964c97-6c71-408f-b5a4-7f1926fd5b4f","title":"CVE-2026-40113: PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the ","summary":"PraisonAI, a system for managing multiple AI agents working together, had a vulnerability in versions before 4.5.128 where the deploy.py file didn't check if certain configuration values (openai_model, openai_key, and openai_base) contained commas before putting them into a command. Since commas are used as separators in the gcloud deployment command, an attacker could sneak extra commas into these values to inject arbitrary environment variables (settings that control how the deployed service behaves) into the cloud service.","solution":"Upgrade PraisonAI to version 4.5.128 or later, which fixes this vulnerability.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-40113","publishedAt":"2026-04-09T22:16:34.853Z","cveId":"CVE-2026-40113","cweIds":["CWE-88"],"cvssScore":"8.4","cvssSeverity":"high","severity":"high","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["LangChain"],"affectedVendorsRaw":["PraisonAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N","attackVector":"local","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-04-09T22:16:34.853Z","capecIds":null,"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality"],"aiComponentTargeted":"inference","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}