EUVD-2026-21176
GHSA-v8g7-9q6v-p3x8
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Lifecycle Timeline
4Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the execute_command function in shell_tools.py calls os.path.expandvars() on every command argument at line 64, manually re-implementing shell-level environment variable expansion despite using shell=False (line 88) for security. This allows exfiltration of secrets stored in environment variables (database credentials, API keys, cloud access keys). The approval system displays the unexpanded $VAR references to human reviewers, creating a deceptive approval where the displayed command differs from what actually executes. This vulnerability is fixed in 1.5.128.
Analysis
Environment variable exfiltration in PraisonAIAgents versions prior to 1.5.128 allows unauthenticated remote attackers to steal secrets (database credentials, API keys, cloud access keys) through shell_tools.py execute_command function. The vulnerability leverages deceptive command approval where unexpanded $VAR references shown to human reviewers differ from executed commands containing expanded environment variable values. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running PraisonAIAgents and document current versions via dependency scanning and asset inventory. Within 7 days: If version 1.5.128 or later is available, upgrade all PraisonAIAgents instances to version 1.5.128 minimum; if unavailable, disable shell_tools.py execute_command functionality or isolate affected systems. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today