CVE-2026-40113: PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars

Summary

deploy.py constructs a single comma-delimited string for the gcloud run deploy –set-env-vars argument by directly interpolating openai_model, openai_key, and openai_base without validating that these values do not contain commas. gcloud uses a comma as the key-value pair separator for –set-env-vars. A comma in any of the three values causes gcloud to parse the trailing text as additional KEY=VALUE definitions, injecting arbitrary environment variables into the deployed Cloud Run service.

Grep Commands and Evidence

Step 1. Confirm the vulnerable string construction at line 150

grep -n "set-env-vars\|openai_key\|openai_base\|openai_model" \
src/praisonai/praisonai/deploy.py

Expected output showing unsanitized interpolation: 150: ‘–set-env-vars’, f’OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}’

Step 2. Confirm no comma validation exists before this line

grep -n "comma\|assertNotIn\|ValueError\|sanitize\|strip\|replace" \
src/praisonai/praisonai/deploy.py

Expected output: no results related to input validation

Step 3. View the full context of the vulnerable construction

sed -n '140,165p' \
src/praisonai/praisonai/deploy.py

This block shows the gcloud command list where the three values are joined into one comma-separated string passed as a single argument element. gcloud receives this string and applies its own comma-based parsing, which the subprocess list form cannot prevent.

Step 4. Confirm subprocess is called without shell=True

grep -n "subprocess\|Popen\|shell=" \
src/praisonai/praisonai/deploy.py

This confirms shell=False (default), meaning the injection is at the gcloud argument level, not the shell level. The comma delimiter is parsed by gcloud itself, not by /bin/sh.

Step 5. Confirm no existing advisory covers this file

grep -rn "deploy.py\|set.env.vars\|openai_base" \
src/praisonai/praisonai/deploy.py

Vulnerability Description

File: src/praisonai/praisonai/deploy.py

Vulnerable line:

150: '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'

The three values openai_model, openai_key, and openai_base originate from environment variables or user-provided configuration and are interpolated directly into a single f-string without validation.

The subprocess call uses a Python list without shell=True. This means there is no shell injection. The subprocess module passes the f-string as one complete argument to gcloud. gcloud then applies its own internal parsing to the value of –set-env-vars using a comma as the delimiter. This parsing is entirely outside Python’s control.

If any of the three values contains a comma, gcloud splits on that comma and creates an additional KEY=VALUE environment variable from the text following it. There is no error or warning from gcloud when this occurs.

The three values are attacker-controllable in any scenario where environment variables can be set before the deploy command runs. This includes compromised dotenv files, poisoned CI pipeline secrets, and local developer machines where an attacker has shell access.

Proof of Concept

attacker-controlled openai_base value:

export OPENAI_API_KEY="sk-legitimate-key"
export OPENAI_MODEL_NAME="gpt-4"
export OPENAI_API_BASE="https://api.openai.com/v1,INJECTED=attacker_value"