CVE-2026-40113
PraisonAI has an Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars
CVSS Score
8.4
EPSS Score
0.0%
EPSS Percentile
5th
PraisonAI is a multi-agent teams system. Prior to 4.5.128, deploy.py constructs a single comma-delimited string for the gcloud run deploy --set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for --set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service. This vulnerability is fixed in 4.5.128.
| CWE | CWE-88 |
| Vendor | mervinpraison |
| Product | praisonai |
| Published | Apr 9, 2026 |
| Last Updated | Apr 10, 2026 |
Stay Ahead of the Next One
Get instant alerts for mervinpraison praisonai
Be the first to know when new high vulnerabilities affecting mervinpraison praisonai are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None
Affected Versions
MervinPraison / PraisonAI
< 4.5.128