CVE-2026-40159: PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution

April 10, 2026

PraisonAI’s MCP (Model Context Protocol) integration allows spawning background servers via stdio using user-supplied command strings (e.g., MCP("npx -y @smithery/cli ...")). These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent process environment to the spawned subprocess:

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pj2r-f9mw-vrcq
github.com/advisories/GHSA-pj2r-f9mw-vrcq
nvd.nist.gov/vuln/detail/CVE-2026-40159

Code Behaviors & Features

Detect and mitigate CVE-2026-40159 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →