{"id":"PYSEC-2026-2913","summary":"PraisonAI Vulnerable to Argument Injection into Cloud Run Environment Variables via Unsanitized Comma in gcloud --set-env-vars","details":"**Summary**\n\ndeploy.py constructs a single comma-delimited string for the gcloud run\ndeploy --set-env-vars argument by directly interpolating openai_model,\nopenai_key, and openai_base without validating that these values do not\ncontain commas. gcloud uses a comma as the key-value pair separator for\n--set-env-vars. A comma in any of the three values causes gcloud to\nparse the trailing text as additional KEY=VALUE definitions, injecting\narbitrary environment variables into the deployed Cloud Run service.\n\n\nGrep Commands and Evidence\n\nStep 1. Confirm the vulnerable string construction at line 150\n```\n    grep -n \"set-env-vars\\|openai_key\\|openai_base\\|openai_model\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    Expected output showing unsanitized interpolation:\n    150:  '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'\n\nStep 2. Confirm no comma validation exists before this line\n```\n    grep -n \"comma\\|assertNotIn\\|ValueError\\|sanitize\\|strip\\|replace\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    Expected output: no results related to input validation\n\nStep 3. View the full context of the vulnerable construction\n```\n    sed -n '140,165p' \\\n      src/praisonai/praisonai/deploy.py\n```\n    This block shows the gcloud command list where the three values are\n    joined into one comma-separated string passed as a single argument\n    element. gcloud receives this string and applies its own\n    comma-based parsing, which the subprocess list form cannot prevent.\n\nStep 4. Confirm subprocess is called without shell=True\n```\n    grep -n \"subprocess\\|Popen\\|shell=\" \\\n      src/praisonai/praisonai/deploy.py\n```\n    This confirms shell=False (default), meaning the injection is at the\n    gcloud argument level, not the shell level. The comma delimiter is\n    parsed by gcloud itself, not by /bin/sh.\n\nStep 5. Confirm no existing advisory covers this file\n```\n    grep -rn \"deploy.py\\|set.env.vars\\|openai_base\" \\\n      src/praisonai/praisonai/deploy.py\n```\n\nVulnerability Description\n\nFile:\n  `src/praisonai/praisonai/deploy.py`\n\nVulnerable line:\n```\n  150: '--set-env-vars', f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}'\n```\n\nThe three values openai_model, openai_key, and openai_base originate\nfrom environment variables or user-provided configuration and are\ninterpolated directly into a single f-string without validation.\n\nThe subprocess call uses a Python list without shell=True. This means\nthere is no shell injection. The subprocess module passes the f-string\nas one complete argument to gcloud. gcloud then applies its own internal\nparsing to the value of --set-env-vars using a comma as the delimiter.\nThis parsing is entirely outside Python's control.\n\nIf any of the three values contains a comma, gcloud splits on that comma\nand creates an additional KEY=VALUE environment variable from the text\nfollowing it. There is no error or warning from gcloud when this occurs.\n\nThe three values are attacker-controllable in any scenario where\nenvironment variables can be set before the deploy command runs. This\nincludes compromised dotenv files, poisoned CI pipeline secrets, and\nlocal developer machines where an attacker has shell access.\n\n\nProof of Concept\n```\n attacker-controlled openai_base value:\n\n    export OPENAI_API_KEY=\"sk-legitimate-key\"\n    export OPENAI_MODEL_NAME=\"gpt-4\"\n    export OPENAI_API_BASE=\"https://api.openai.com/v1,INJECTED=attacker_value\"\n```\n\nRun the deploy command. The string constructed at line 150 becomes:\n```\n    OPENAI_MODEL_NAME=gpt-4,OPENAI_API_KEY=sk-legitimate-key,OPENAI_API_BASE=https://api.openai.com/v1,INJECTED=attacker_value\n```\ngcloud parses this as four key-value pairs and creates all four as\nenvironment variables in the Cloud Run service. INJECTED=attacker_value\nis a real environment variable available to every request the service\nhandles.\n\nVerify the injection after deployment:\n```\n    gcloud run services describe praisonai-service \\\n      --region us-central1 \\\n      --format \"value(spec.template.spec.containers[0].env)\"\n```\nThe output includes INJECTED alongside the three legitimate variables.\n\nAPI key override:\n\n  `  export OPENAI_API_KEY=\"sk-real,OPENAI_API_KEY=sk-attacker\"`\n\nThe constructed string contains OPENAI_API_KEY twice. In gcloud versions\nwhere the last-defined value takes precedence, the deployed service uses\nsk-attacker for all LLM API calls. All agent traffic routes through the\nattacker-controlled API account.\n\n\n**Impact**\n\nAn attacker who can influence any of the three environment variables\nbefore deploy.py runs can inject arbitrary environment variables into\nthe deployed Cloud Run production service without triggering any error.\n\nInjection scenarios include a malicious git hook that modifies a dotenv\nfile before deployment, a compromised CI pipeline secret, or any local\naccess that allows setting environment variables in the deploy shell\nsession.\n\nConsequences include overriding the API key used by the production\nservice, injecting proxy settings that redirect all outbound LLM traffic,\nsetting debug or verbose flags that write sensitive data to Cloud Run\nlogs, and overriding any security-relevant variable the service reads\nfrom its environment.\n\nThe API key override scenario is the highest-impact case. All production\nLLM calls made by the deployed service are billed to and logged by the\nattacker's API account, giving the attacker full visibility into every\nagent prompt and response processed in production.\n\n\n**Recommended Fix**\n\nPass each variable as a separate --update-env-vars flag so each value\nis an isolated argument and gcloud never performs comma-based parsing\nacross multiple values:\n\n    Before:\n      ['gcloud', 'run', 'deploy', 'praisonai-service',\n       '--set-env-vars',\n       f'OPENAI_MODEL_NAME={openai_model},OPENAI_API_KEY={openai_key},OPENAI_API_BASE={openai_base}']\n\n    After:\n      ['gcloud', 'run', 'deploy', 'praisonai-service',\n       '--update-env-vars', f'OPENAI_MODEL_NAME={openai_model}',\n       '--update-env-vars', f'OPENAI_API_KEY={openai_key}',\n       '--update-env-vars', f'OPENAI_API_BASE={openai_base}']\n\nEach --update-env-vars element is a separate string in the subprocess\nlist. The subprocess module passes each as a distinct argument to\ngcloud. gcloud receives three separate single-variable assignments and\nperforms no cross-argument comma parsing.\n\nAdd pre-flight validation as a secondary control:\n\n    for label, value in [\n        (\"OPENAI_MODEL_NAME\", openai_model),\n        (\"OPENAI_API_KEY\", openai_key),\n        (\"OPENAI_API_BASE\", openai_base),\n    ]:\n        if \",\" in value:\n            raise ValueError(\n                f\"{label} contains a comma and would corrupt \"\n                f\"--set-env-vars: {value!r}\"\n            )\n\n\nReferences\n\nCWE-88 Improper Neutralization of Argument Delimiters in a Command\ngcloud run deploy documentation for --set-env-vars KEY=VALUE comma\ndelimiter specification","aliases":["CVE-2026-40113","GHSA-fvxx-ggmx-3cjg"],"modified":"2026-07-13T16:33:02.272089131Z","published":"2026-07-13T14:36:50.897398Z","references":[{"type":"WEB","url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fvxx-ggmx-3cjg"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40113"},{"type":"PACKAGE","url":"https://github.com/MervinPraison/PraisonAI"},{"type":"WEB","url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"type":"PACKAGE","url":"https://pypi.org/project/praisonai"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-fvxx-ggmx-3cjg"}],"affected":[{"package":{"name":"praisonai","ecosystem":"PyPI","purl":"pkg:pypi/praisonai"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.5.128"}]}],"versions":["0.0.1","0.0.10","0.0.11","0.0.12","0.0.13","0.0.14","0.0.15","0.0.16","0.0.17","0.0.18","0.0.19","0.0.2","0.0.20","0.0.21","0.0.22","0.0.23","0.0.24","0.0.25","0.0.26","0.0.27","0.0.28","0.0.29","0.0.3","0.0.30","0.0.31","0.0.32","0.0.33","0.0.34","0.0.35","0.0.36","0.0.37","0.0.38","0.0.39","0.0.4","0.0.40","0.0.41","0.0.42","0.0.43","0.0.44","0.0.45","0.0.46","0.0.47","0.0.48","0.0.49","0.0.5","0.0.50","0.0.52","0.0.53","0.0.54","0.0.55","0.0.56","0.0.57","0.0.58","0.0.59","0.0.59rc11","0.0.59rc2","0.0.59rc3","0.0.59rc5","0.0.59rc6","0.0.59rc7","0.0.59rc8","0.0.59rc9","0.0.6","0.0.61","0.0.64","0.0.65","0.0.66","0.0.67","0.0.68","0.0.69","0.0.7","0.0.70","0.0.71","0.0.72","0.0.73","0.0.74","0.0.8","0.0.9","0.1.0","0.1.1","0.1.10","0.1.2","0.1.3","0.1.4","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","1.0.0","1.0.1","1.0.10","1.0.11","1.0.2","1.0.3","1.0.4","1.0.5","1.0.6","1.0.8","1.0.9","2.0.0","2.0.1","2.0.10","2.0.11","2.0.12","2.0.13","2.0.14","2.0.15","2.0.16","2.0.17","2.0.18","2.0.19","2.0.2","2.0.20","2.0.22","2.0.23","2.0.24","2.0.25","2.0.26","2.0.27","2.0.28","2.0.29","2.0.3","2.0.30","2.0.31","2.0.32","2.0.33","2.0.34","2.0.35","2.0.36","2.0.37","2.0.38","2.0.39","2.0.40","2.0.41","2.0.42","2.0.43","2.0.44","2.0.45","2.0.46","2.0.47","2.0.48","2.0.49","2.0.5","2.0.50","2.0.51","2.0.53","2.0.54","2.0.55","2.0.56","2.0.57","2.0.58","2.0.59","2.0.6","2.0.60","2.0.61","2.0.62","2.0.63","2.0.64","2.0.65","2.0.66","2.0.67","2.0.68","2.0.69","2.0.7","2.0.70","2.0.71","2.0.72","2.0.73","2.0.74","2.0.75","2.0.76","2.0.77","2.0.78","2.0.79","2.0.8","2.0.80","2.0.81","2.0.9","2.1.0","2.1.1","2.1.4","2.1.5","2.1.6","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.24","2.2.25","2.2.26","2.2.27","2.2.28","2.2.29","2.2.3","2.2.30","2.2.31","2.2.32","2.2.33","2.2.34","2.2.35","2.2.36","2.2.37","2.2.38","2.2.39","2.2.4","2.2.40","2.2.41","2.2.42","2.2.43","2.2.44","2.2.45","2.2.46","2.2.47","2.2.48","2.2.49","2.2.5","2.2.50","2.2.51","2.2.52","2.2.53","2.2.54","2.2.55","2.2.56","2.2.57","2.2.58","2.2.59","2.2.6","2.2.60","2.2.61","2.2.62","2.2.63","2.2.64","2.2.65","2.2.66","2.2.67","2.2.68","2.2.69","2.2.7","2.2.70","2.2.71","2.2.72","2.2.73","2.2.74","2.2.75","2.2.76","2.2.77","2.2.78","2.2.79","2.2.8","2.2.80","2.2.81","2.2.82","2.2.83","2.2.84","2.2.86","2.2.87","2.2.88","2.2.89","2.2.9","2.2.90","2.2.91","2.2.93","2.2.95","2.2.96","2.2.97","2.2.98","2.2.99","2.3.0","2.3.1","2.3.10","2.3.11","2.3.12","2.3.13","2.3.14","2.3.15","2.3.16","2.3.18","2.3.19","2.3.2","2.3.20","2.3.21","2.3.22","2.3.23","2.3.24","2.3.25","2.3.26","2.3.27","2.3.28","2.3.29","2.3.3","2.3.30","2.3.31","2.3.32","2.3.33","2.3.34","2.3.35","2.3.36","2.3.37","2.3.38","2.3.39","2.3.4","2.3.40","2.3.41","2.3.42","2.3.43","2.3.44","2.3.45","2.3.46","2.3.47","2.3.48","2.3.49","2.3.5","2.3.50","2.3.51","2.3.52","2.3.53","2.3.54","2.3.55","2.3.56","2.3.57","2.3.58","2.3.59","2.3.6","2.3.60","2.3.61","2.3.62","2.3.63","2.3.64","2.3.65","2.3.66","2.3.67","2.3.68","2.3.69","2.3.7","2.3.70","2.3.71","2.3.72","2.3.73","2.3.74","2.3.75","2.3.76","2.3.77","2.3.78","2.3.79","2.3.8","2.3.80","2.3.81","2.3.82","2.3.83","2.3.84","2.3.85","2.3.86","2.3.87","2.3.9","2.4.0","2.4.1","2.4.2","2.4.3","2.4.4","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.7.0","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.8.9","2.9.0","2.9.1","2.9.2","3.0.0","3.0.1","3.0.2","3.0.3","3.0.4","3.0.5","3.0.6","3.0.7","3.0.8","3.0.9","3.1.0","3.1.1","3.1.2","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9","3.10.0","3.10.1","3.10.10","3.10.11","3.10.12","3.10.13","3.10.14","3.10.15","3.10.16","3.10.17","3.10.18","3.10.19","3.10.2","3.10.20","3.10.21","3.10.22","3.10.23","3.10.24","3.10.25","3.10.26","3.10.27","3.10.3","3.10.4","3.10.5","3.10.6","3.10.7","3.10.8","3.10.9","3.11.0","3.11.1","3.11.10","3.11.11","3.11.12","3.11.13","3.11.14","3.11.2","3.11.3","3.11.4","3.11.8","3.11.9","3.12.0","3.12.1","3.12.2","3.12.3","3.2.0","3.2.1","3.3.0","3.3.1","3.4.0","3.4.1","3.5.0","3.5.1","3.5.2","3.5.3","3.5.4","3.5.5","3.5.6","3.5.7","3.5.8","3.5.9","3.6.0","3.6.1","3.6.2","3.7.0","3.7.1","3.7.2","3.7.3","3.7.4","3.7.5","3.7.6","3.7.7","3.7.8","3.7.9","3.8.0","3.8.1","3.8.10","3.8.11","3.8.12","3.8.13","3.8.14","3.8.16","3.8.17","3.8.18","3.8.19","3.8.2","3.8.20","3.8.21","3.8.22","3.8.3","3.8.4","3.8.5","3.8.6","3.8.7","3.8.8","3.8.9","3.9.0","3.9.1","3.9.10","3.9.11","3.9.12","3.9.13","3.9.14","3.9.15","3.9.16","3.9.17","3.9.18","3.9.19","3.9.2","3.9.20","3.9.21","3.9.22","3.9.23","3.9.24","3.9.25","3.9.26","3.9.27","3.9.28","3.9.29","3.9.3","3.9.30","3.9.31","3.9.32","3.9.33","3.9.34","3.9.35","3.9.4","3.9.5","3.9.6","3.9.7","3.9.8","3.9.9","4.0.0","4.1.0","4.2.0","4.2.1","4.2.2","4.2.3","4.2.4","4.3.0","4.3.1","4.4.0","4.4.10","4.4.11","4.4.12","4.4.2","4.4.3","4.4.4","4.4.5","4.4.6","4.4.7","4.4.8","4.4.9","4.5.0","4.5.1","4.5.10","4.5.100","4.5.101","4.5.102","4.5.103","4.5.104","4.5.105","4.5.106","4.5.107","4.5.108","4.5.109","4.5.11","4.5.110","4.5.111","4.5.112","4.5.113","4.5.114","4.5.115","4.5.117","4.5.118","4.5.119","4.5.12","4.5.120","4.5.121","4.5.122","4.5.123","4.5.124","4.5.125","4.5.126","4.5.127","4.5.13","4.5.14","4.5.15","4.5.16","4.5.18","4.5.19","4.5.2","4.5.20","4.5.21","4.5.22","4.5.23","4.5.24","4.5.25","4.5.26","4.5.27","4.5.28","4.5.29","4.5.3","4.5.30","4.5.31","4.5.32","4.5.33","4.5.34","4.5.35","4.5.36","4.5.37","4.5.38","4.5.39","4.5.40","4.5.41","4.5.42","4.5.43","4.5.44","4.5.45","4.5.46","4.5.48","4.5.49","4.5.5","4.5.51","4.5.52","4.5.54","4.5.55","4.5.56","4.5.57","4.5.58","4.5.59","4.5.6","4.5.60","4.5.62","4.5.63","4.5.64","4.5.65","4.5.67","4.5.68","4.5.69","4.5.7","4.5.70","4.5.71","4.5.72","4.5.73","4.5.74","4.5.76","4.5.77","4.5.78","4.5.79","4.5.8","4.5.80","4.5.81","4.5.82","4.5.83","4.5.85","4.5.87","4.5.88","4.5.89","4.5.9","4.5.90","4.5.93","4.5.94","4.5.95","4.5.96","4.5.97","4.5.98"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/praisonai/PYSEC-2026-2913.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N"}]}