Is Command Injection affected by CVE-2026-34935?

PraisonAI versions before 4.5.69 contain a critical remote command execution vulnerability in the `--mcp` CLI argument that allows unauthenticated attackers to execute arbitrary operating system commands with the privileges of the application process.

CVE-2026-34935

CRITICAL

2026-04-01 https://github.com/MervinPraison/PraisonAI

GHSA-9gm9-c8mq-vq7m

9.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

Analysis Generated

Apr 02, 2026 - 00:15 vuln.today

Patch Released

Apr 02, 2026 - 00:15 nvd

Patch available

CVE Published

Apr 01, 2026 - 23:20 nvd

CRITICAL 9.8

Description

### Summary The `--mcp` CLI argument is passed directly to `shlex.split()` and forwarded through the call chain to `anyio.open_process()` with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. ### Details `cli/features/mcp.py:61` (source) -> `praisonaiagents/mcp/mcp.py:345` (hop) -> `mcp/client/stdio/__init__.py:253` (sink) ```python # source parts = shlex.split(command) # hop cmd, args, env = self.parse_mcp_command(command, env_vars) self.server_params = StdioServerParameters(command=cmd, args=arguments) # sink process = await anyio.open_process([command, *args]) ``` Fixed in commit `47bff65413beaa3c21bf633c1fae4e684348368c` (v4.5.69) by introducing a command allowlist: ```python ALLOWED_COMMANDS = {"npx", "uvx", "node", "python"} if cmd not in ALLOWED_COMMANDS: raise ValueError(f"Disallowed command: {cmd}") ``` ### PoC ```python # tested on: praisonai==4.5.48 # install: pip install praisonai==4.5.48 # run: praisonai --mcp "bash -c 'id > /tmp/pwned'" # verify: cat /tmp/pwned # expected output: uid=1000(...) gid=1000(...) groups=1000(...) ``` ### Impact Any deployment where the `--mcp` argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.

Analysis

Arbitrary OS command execution in PraisonAI (Python package) versions prior to 4.5.69 allows remote unauthenticated attackers to execute commands as the process user via the unsanitized `--mcp` CLI argument. The vulnerability stems from passing user-controlled input directly to `shlex.split()` and `anyio.open_process()` without validation. …

Remediation

Within 24 hours: Identify all systems running PraisonAI and determine currently installed versions using `pip show praisonai`. Within 7 days: Upgrade all affected instances to PraisonAI version 4.5.69 or later using `pip install --upgrade praisonai>=4.5.69` and validate the upgrade with `pip show praisonai`. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +49

POC: +20

CVE-2026-34935 vulnerability details – vuln.today

Back

CVE-2026-34935

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Analysis

Full analysis requires sign-in

Priority Score

Share

CVE-2026-34935

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Remediation

Full analysis requires sign-in

Priority Score

Share

External POC / Exploit Code