CVE 9.1 CRITICAL

PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence_CVE-2026-40313

April 13, 2026 invoker category_cve

9.1 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Description

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.

AI Analysis

ArtiPACKED vulnerability via GitHub Actions credential persistence, potentially enabling an attacker to push malicious code and steal repository secrets

Basic Information

ID CVE-2026-40313

Source GitHub_M

Published Apr 14, 2026 at 03:10

Modified Apr 14, 2026 at 03:12

Affected Product

Vendor MervinPraison

Product PraisonAI

Version < 4.5.140

Affected Versions MervinPraison PraisonAI < 4.5.140

CWE Classification

CWE-829

AI Assessment

AI Score 9.1 / 10

AI Severity Critical

Vendor MervinPraison

Product PraisonAI

Version < 4.5.140

References

{
    "lastseen": "",
    "description": "PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) into the .git/config file for persistence, and if any subsequent workflow step uploads artifacts (build outputs, logs, test results, etc.), these tokens can be inadvertently included. Since PraisonAI is a public repository, any user with read access can download these artifacts and extract the leaked tokens, potentially enabling an attacker to push malicious code, poison releases and PyPI/Docker packages, steal repository secrets, and execute a full supply chain compromise affecting all downstream users. The issue spans numerous workflow and action files across .github/workflows/ and .github/actions/. This issue has been fixed in version 4.5.140.",
    "published": "2026-04-14T03:10:23.697Z",
    "modified": "2026-04-14T03:12:04.840Z",
    "type": "cve",
    "title": "PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence",
    "source": "GitHub_M",
    "references": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-3959-6v5q-45q2\nhttps://thehackernews.com/2024/08/github-vulnerability-artipacked-exposes.html\nhttps://unit42.paloaltonetworks.com/github-repo-artifacts-leak-tokens",
    "id": "CVE-2026-40313",
    "bulletinFamily": "",
    "cwe": [
        "CWE-829"
    ],
    "cvelist": null,
    "sourceData": "MervinPraison PraisonAI < 4.5.140",
    "sourceHref": "",
    "cvss": {
        "score": 9.1,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "PraisonAI",
    "version": "< 4.5.140",
    "vendor": "MervinPraison",
    "ai_description": "ArtiPACKED vulnerability via GitHub Actions credential persistence, potentially enabling an attacker to push malicious code and steal repository secrets",
    "ai_severity": "Critical",
    "ai_vendor": "MervinPraison",
    "ai_product": "PraisonAI",
    "ai_version": "< 4.5.140",
    "ai_score": 9.1
}

💭 Join the Security Discussion ❌ Cancel Reply