Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
9DescriptionGitHub Advisory
PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.
AnalysisAI
GitHub Actions credential leakage in PraisonAI through ArtiPACKED attack exposes GITHUB_TOKEN and ACTIONS_RUNTIME_TOKEN in workflow artifacts. Versions 4.5.139 and below persist credentials in .git/config via actions/checkout without disabling persist-credentials, allowing any user with read access to public repository artifacts to extract tokens and compromise the supply chain. CVSS 9.1 (Critical) with network-accessible, unauthenticated attack vector. EPSS data not provided; no confirmed active exploitation (KEV status not indicated), but attack technique is publicly documented by Palo Alto Unit42 and widely reported. Vendor-released patch available in version 4.5.140.
Technical ContextAI
The ArtiPACKED attack exploits a default behavior in GitHub's actions/checkout action where authentication tokens (GITHUB_TOKEN, ACTIONS_RUNTIME_TOKEN) are written to .git/config for repository persistence. When workflows subsequently upload artifacts-common in CI/CD pipelines for build outputs, test results, or logs-these config files containing plaintext credentials are inadvertently packaged. GitHub Actions artifacts in public repositories are readable by any authenticated GitHub user, creating a credential disclosure vector. The vulnerability (CWE-829: Inclusion of Functionality from Untrusted Control Sphere) stems from trusting the default checkout behavior without explicitly setting persist-credentials: false. PraisonAI's multi-agent teams system uses extensive GitHub Actions workflows across .github/workflows/ and .github/actions/ directories, multiplying the exposure surface. The affected product is specifically cpe:2.3:a:mervinpraison:praisonai versions up to and including 4.5.139.
RemediationAI
Upgrade immediately to PraisonAI version 4.5.140, which remediates the credential persistence issue across all affected workflows. The patch explicitly sets persist-credentials: false in actions/checkout steps to prevent token writing to .git/config. For users unable to upgrade immediately, implement a temporary workaround by manually editing all .github/workflows/*.yml and .github/actions/*/action.yml files to add 'persist-credentials: false' to every actions/checkout invocation, then audit and purge existing workflow artifacts that may contain leaked credentials. Rotate any GITHUB_TOKEN or repository secrets that may have been exposed in historical artifacts. Consult the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2 and review Palo Alto's technical analysis at https://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens for detection guidance.
An issue was discovered in Appsmith before 1.52. Rated critical severity (CVSS 9.8), this vulnerability is remotely expl
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attac
Netmaker makes networks with WireGuard. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no a
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
The News & Blog Designer Pack - WordPress Blog Plugin - (Blog Post Grid, Blog Post Slider, Blog Post Carousel, Blog Post
Docker 1.3.2 allows remote attackers to execute arbitrary code with root privileges via a crafted (1) image or (2) build
Remote code execution in NocoBase Workflow Script Node (npm @nocobase/plugin-workflow-javascript) allows authenticated l
Docker Desktop Community Edition before 2.1.0.1 allows local users to gain privileges by placing a Trojan horse docker-c
Vasion Print (formerly PrinterLogic) Virtual Appliance Host prior to version 25.2.169 and Application prior to version 2
An issue in Plone Docker Official Image 5.2.13 (5221) open-source software that could allow for remote code execution du
Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists. Rated critical seve
Unauthenticated remote code execution in 9router (npm package) versions 0.4.30 through 0.4.36 allows network-adjacent at
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22214