HOMEVULNERABILITIESCVE-2026-40113
HIGHPOC

CVE-2026-40113

CWE-88Published: April 9, 2026· Updated: Apr 13, 2026

8.4
CVSS v3.1
EPSS:0.02%probability of exploitation in 30 daysPercentile:5.1th

Official Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run

deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.

NVD Source

Technical Analysis

CVE-2026-40113 requires local access, meaning attackers must already have a foothold on the target system.

Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.

A successful exploit results in complete confidentiality breach (data exposure), full integrity compromise (data manipulation), with a CVSS base score of 8.4.

The vulnerability has a "Changed" scope, meaning successful exploitation can impact components beyond the vulnerable component itself — such as the host operating system or adjacent services.

A proof-of-concept (PoC) exploit exists for CVE-2026-40113. While not yet confirmed in active campaigns, the availability of PoC code increases exploitation risk substantially.

CVSS v3.1 Vector Breakdown

Exploitability
Attack VectorLocal
Attack ComplexityLow
Privileges Req.Low
User InteractionNone
ScopeChanged
Impact
ConfidentialityHigh
IntegrityHigh
AvailabilityNone
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Exploit & PoC Resources

POC AVAILABLEProof-of-concept code exists
External links open in a new tab. Always verify in a controlled environment before use.

All References (1)

Quick Facts

CVE IDCVE-2026-40113
CVSS Score8.4 / 10
SeverityHIGH
WeaknessCWE-88
CISA KEVNo
ExploitPOC
EPSS (30d)0.02%
PublishedApr 9, 2026

Related CVEs (CWE-88)

Recommended Actions

  • Apply vendor patches immediately
  • Monitor CVE-2026-40113 in threat intel feeds
  • Review IDS/IPS signatures for exploitation attempts
Data sourced from NVD (NIST), CISA KEV, and EPSS (FIRST). Analysis generated by CTIWATCH.COM. CVE data is provided under the NVD usage policy.