What is the CVSS score of CVE-2026-34935?

CVE-2026-34935 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Python are affected by CVE-2026-34935?

PraisonAI versions before 4.5.69 contain a critical remote command execution vulnerability in the `--mcp` CLI argument that allows unauthenticated attackers to execute arbitrary operating system…. A patch is available.

Is there a public PoC exploit available for CVE-2026-34935?

Yes, a public proof-of-concept exploit is available for CVE-2026-34935. Prioritise patching immediately. EPSS: 0.1%.

Python CVE-2026-34935

CRITICAL

OS Command Injection (CWE-78)

2026-04-01 https://github.com/MervinPraison/PraisonAI

GHSA-9gm9-c8mq-vq7m

Python Command Injection

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

PoC Detected

Apr 07, 2026 - 13:20 vuln.today

Public exploit code

Analysis Generated

Apr 02, 2026 - 00:15 vuln.today

Patch released

Apr 02, 2026 - 00:15 nvd

Patch available

CVE Published

Apr 01, 2026 - 23:20 nvd

CRITICAL 9.8

DescriptionNVD

Summary

The --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.

Details

cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/__init__.py:253 (sink)

python

# source
parts = shlex.split(command)
# hop
cmd, args, env = self.parse_mcp_command(command, env_vars)
self.server_params = StdioServerParameters(command=cmd, args=arguments)
# sink
process = await anyio.open_process([command, *args])

Fixed in commit 47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:

python

ALLOWED_COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED_COMMANDS:
    raise ValueError(f"Disallowed command: {cmd}")

PoC

python

# tested on: praisonai==4.5.48
# install: pip install praisonai==4.5.48
# run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
# verify: cat /tmp/pwned
# expected output: uid=1000(...) gid=1000(...) groups=1000(...)

Impact

Any deployment where the --mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.

AnalysisAI

Arbitrary OS command execution in PraisonAI (Python package) versions prior to 4.5.69 allows remote unauthenticated attackers to execute commands as the process user via the unsanitized --mcp CLI argument. The vulnerability stems from passing user-controlled input directly to shlex.split() and anyio.open_process() without validation. …

RemediationAI

Within 24 hours: Identify all systems running PraisonAI and determine currently installed versions using pip show praisonai. Within 7 days: Upgrade all affected instances to PraisonAI version 4.5.69 or later using pip install --upgrade praisonai>=4.5.69 and validate the upgrade with pip show praisonai. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34935 vulnerability details – vuln.today

Back

Python CVE-2026-34935

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Summary

Details

PoC

Impact

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code