Introduction
A default configuration in GitHub Actions workflows turned PraisonAI's public CI/CD pipeline into a credential dispensary, exposing tokens that could enable full supply chain compromise of a project with nearly 7,000 GitHub stars. CVE-2026-40313, scored at CVSS 9.1, demonstrates how a single missing flag in a widely used GitHub Action can cascade into repository takeover, package poisoning, and secret theft.
PraisonAI is an open source multi-agent AI framework created by Mervin Praison, designed for building autonomous agent teams that can research, plan, code, and execute tasks. The project has reached the top of GitHub Trending, accumulated 6.9k stars and 1.1k forks, and is distributed through both PyPI and Docker. Its position as a building block in AI tooling pipelines makes it a meaningful supply chain target: a compromise here propagates to every downstream consumer installing the package.
Technical Information
Root Cause: Credential Persistence in actions/checkout
The vulnerability is rooted in the default behavior of actions/checkout, one of the most commonly used GitHub Actions. When invoked without the persist-credentials: false option, this action writes the GITHUB_TOKEN (and in some cases the ACTIONS_RUNTIME_TOKEN) into the .git/config file within the checked out repository directory. This is done so that subsequent git operations within the same job can authenticate automatically.
The problem arises when any later step in the workflow uploads artifacts (build outputs, logs, test results, or the checkout directory itself). If the upload includes the .git/ directory, the tokens embedded in .git/config become part of the downloadable artifact.
The ArtiPACKED Race Condition
The attack vector, known as ArtiPACKED and documented by Palo Alto Networks' Unit 42 research team, exploits a timing window introduced in version 4 of the GitHub Actions artifacts feature. Prior to v4, artifacts were only available for download after the workflow run completed, meaning the GITHUB_TOKEN would typically have expired by the time anyone could access it. Version 4 changed this: artifacts can now be downloaded while the workflow run is still in progress.
This creates a race condition. An attacker monitoring a public repository can:
- Observe a workflow run starting (via the GitHub API or the Actions tab).
- Poll for newly uploaded artifacts during the run.
- Download the artifact before the workflow job completes.
- Extract the
GITHUB_TOKENfrom.git/configwithin the artifact. - Use the still valid token to perform authenticated operations against the repository.
With a valid GITHUB_TOKEN, the attacker's capabilities depend on the token's permissions, but can include pushing malicious commits, creating branches, modifying releases, and accessing repository secrets. In PraisonAI's case, this could mean poisoning PyPI packages, Docker images, or the release artifacts that downstream users depend on.
Scope Across PraisonAI Workflows
A security audit using the zizmor static analysis tool flagged multiple instances of this vulnerability across the PraisonAI repository. The issue spans numerous workflow and action YAML files under .github/workflows/ and .github/actions/. Key affected files include:
| File | Vulnerability Pattern | Potential Impact |
|---|---|---|
benchmark.yml | Missing persist-credentials: false | Token leakage via artifacts |
build-image.yml | Missing persist-credentials: false | Token leakage via artifacts |
docker-publish.yml | Missing persist-credentials: false | Token leakage via artifacts |
release.yml | Missing persist-credentials: false | Token leakage via artifacts |
Because PraisonAI is a public repository, any GitHub user with read access can download workflow artifacts. No special privileges or user interaction are required, which contributes to the CVSS 9.1 severity rating.
Patch Information
The PraisonAI maintainers declared this vulnerability fixed in version 4.5.140, released on April 10, 2026, and published a corresponding GitHub Security Advisory (GHSA-3959-6v5q-45q2). The core of the patch is conceptually straightforward: every actions/checkout step across the repository's GitHub Actions workflows and composite actions needed the persist-credentials: false option added. This single flag prevents the checkout action from writing the GITHUB_TOKEN into the .git/config file, which is the root cause of the ArtiPACKED credential leakage vector.
The recommended fix, as stated directly in the advisory, is:
- name: Checkout repository uses: actions/checkout@v4 with: persist-credentials: false
However, a closer inspection reveals an important nuance in how the fix was rolled out. When comparing the workflow files at the v4.5.140 tag versus the current main branch, the actual persist-credentials: false additions were not yet present at the v4.5.140 tag itself. For example, .github/workflows/docker-publish.yml at v4.5.140 still used a bare actions/checkout@v4 without the flag. The commit included in v4.5.140 related to the issue (2cdc08e) only updated security audit documentation and the install.sh sync process, not the workflows themselves.
The concrete workflow fixes landed on main in subsequent commits after the v4.5.140 tag. Examining the current main branch confirms that persist-credentials: false has been applied across multiple files. For instance, .github/workflows/benchmark.yml on main now has a clean fix:
- name: Checkout repository uses: actions/checkout@v4 with: persist-credentials: false
Similarly, .github/actions/claude-issue-triage-action/action.yml correctly merges the new flag alongside existing with: parameters like fetch-depth: 0.
A Caveat: Duplicate YAML Keys in Some Workflow Files
It is worth noting that some workflow files on main exhibit duplicate with: blocks, a YAML syntax issue likely introduced by an automated patching tool. For example, .github/workflows/release.yml on main shows a pattern like:
- name: Checkout upstream repo uses: actions/checkout@v4 with: persist-credentials: false with: persist-credentials: false with: repository: MervinPraison/PraisonAI ref: ${{ github.event.inputs.tag }} fetch-depth: 0
In YAML, when duplicate keys exist at the same mapping level, most parsers (including the one used by GitHub Actions) keep only the last value. This means in the above snippet, the effective with: block is {repository: ..., ref: ..., fetch-depth: 0}, which does not include persist-credentials: false. This suggests the fix may be incomplete or ineffective for certain workflow files like release.yml that had pre-existing with: parameters.
Users should upgrade to at least v4.5.140 (or ideally the latest release) to benefit from the declared fix, but should also independently verify that their fork or deployment's workflow files contain a correctly structured persist-credentials: false entry within a single with: block per checkout step.
Affected Systems and Versions
The vulnerability affects PraisonAI versions 4.5.139 and below. The fix was declared in version 4.5.140. Subsequent secure releases include version 4.5.145 on PyPI (April 10, 2026) and version 4.6.1 on GitHub Releases (April 12, 2026).
Any organization or individual that has forked the PraisonAI repository and retained the original GitHub Actions workflow configurations is also potentially affected, regardless of the PraisonAI library version in use. The vulnerability is in the CI/CD configuration, not in the application code itself.
The CWE classification is CWE-829: Inclusion of Functionality from Untrusted Control Sphere.
Vendor Security History
Despite its popularity, PraisonAI experienced a cluster of security advisories in April 2026. The vendor demonstrated rapid response times by patching CVE-2026-40313 in version 4.5.140 and continuing to release updated versions. However, the volume of recent critical advisories, combined with the incomplete patch application noted above, suggests that consumers should continuously monitor the project's security advisories page for new disclosures and verify fixes independently.
References
- NVD: CVE-2026-40313
- CVE Record: CVE-2026-40313
- GitHub Security Advisory: GHSA-3959-6v5q-45q2
- Unit 42: ArtiPACKED: Hacking Giants Through a Race Condition in GitHub Actions Artifacts
- The Hacker News: GitHub Vulnerability ArtiPACKED Exposes Repositories to Potential Takeover
- PraisonAI v4.5.140 Release
- PraisonAI v4.5.139 to v4.5.140 Comparison
- Patch Commit 2cdc08e
- docker-publish.yml at v4.5.140
- docker-publish.yml on main
- release.yml on main
- benchmark.yml on main
- claude-issue-triage-action/action.yml on main
