[SECURITY] [DLA 4612-1] sentry-python security update

Debian LTS Advisory DLA-4612-1 [email protected] https://www.debian.org/lts/security/ Santiago Ruano Rincón May 31, 2026 https://wiki.debian.org/LTS Package : sentry-python Version : 0.13.2-1+deb11u1 CVE ID : CVE-2024-40647 Debian Bug : 1083189 A vulnerability was found in the Python SD...

GHSA-5V57-8RXJ-3P2R python-utcp: Full Process Environment Exposed to CLI Subprocess - Secrets Leakage via Command Injection

Summary prepareenvironment in clicommunicationprotocol.py passes a full copy of os.environ to every CLI subprocess. When combined with the Command Injection vulnerability CWE-78 in substituteutcpargs tracked as GHSA-33p6-5jxp-p3x4, an attacker can exfiltrate all process-level secrets in a single...

PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands

Summary The approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves executecommand for any command e.g., ls -la, all subsequent executecommand calls in that execution context bypass the approval prompt entirely...

PraisonAI Vulnerable to Sensitive Environment Variable Exposure via Untrusted MCP Subprocess Execution

PraisonAI’s MCP Model Context Protocol integration allows spawning background servers via stdio using user-supplied command strings e.g., MCP"npx -y @smithery/cli ...". These commands are executed through Python’s subprocess module. By default, the implementation forwards the entire parent proces...

CVE-2026-40159

PraisonAI's MCP integration (before 4.5.128) spawns background processes via stdio using user-supplied commands, and forwards the full parent environment to the subprocess. This allows any MCP invocation to inherit sensitive variables (API keys, tokens, database credentials), enabling potential c...

EUVD-2024-2345

Malicious code in bioql PyPI...

Unintentional exposure of environment variables to subprocesses in sentry-sdk

...