Skip to main content

Python CVE-2026-34937

HIGH
OS Command Injection (CWE-78)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-w37c-qqfp-c67f
7.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:18 nvd
HIGH 7.8

DescriptionGitHub Advisory

Summary

run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.

Details

execute_command.py:290 (source) -> execute_command.py:297 (hop) -> execute_command.py:310 (sink)

python
# source -- user-controlled code argument
def run_python(code: str, cwd=None, timeout=60):
# hop -- incomplete escaping, $ and () not handled
    escaped_code = code.replace('\\', '\\\\').replace('"', '\\"')
    command = f'{python_cmd} -c "{escaped_code}"'
# sink -- shell=True expands $() before python3 runs
    return execute_command(command=command, cwd=cwd, timeout=timeout)
# execute_command calls subprocess.run(command, shell=True, ...)

PoC

python
# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute_command import run_python

result = run_python(code='$(id > /tmp/injected)')
print(result)
# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Any agent pipeline or API consumer that passes user or task-supplied content to run_python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH_ENABLED = False by default when no token is configured.

AnalysisAI

Command injection in PraisonAI's run_python() function allows authenticated local attackers to execute arbitrary operating system commands with the privileges of the application process. The vulnerability stems from incomplete input sanitization that fails to escape shell metacharacters ($() and backticks) before passing user-controlled code to subprocess.run() with shell=True. Attackers with low-privilege local access can exploit this to achieve full system compromise (confidentiality, integrity, and availability impact rated High). Proof-of-concept code demonstrates successful command injection via the praisonaiagents Python package. No active exploitation confirmed via CISA KEV at time of analysis, but publicly available exploit code exists in the GitHub security advisory.

Technical ContextAI

PraisonAI is a Python-based AI agent framework (distributed via PyPI as praisonaiagents) that provides code execution capabilities for autonomous agents. The vulnerable run_python() function in execute_command.py constructs shell commands by embedding user input into a python3 -c "<code>" string pattern. The sanitization logic only escapes backslashes and double quotes, but fails to neutralize POSIX shell command substitution operators like $() and backticks. When this malformed command string reaches subprocess.run() with shell=True, the underlying shell (typically bash or sh) processes the substitution operators before Python is invoked, resulting in CWE-78 (OS Command Injection). The vulnerability is compounded by the framework's auto-generated Flask API server deploying with AUTH_ENABLED=False by default when no authentication token is configured, potentially exposing the run_python() endpoint to indirect prompt injection attacks where malicious instructions embedded in documents or external data sources trigger the vulnerable code path during agent execution workflows.

RemediationAI

Organizations should immediately review PraisonAI deployments and apply available patches per the vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w37c-qqfp-c67f. The specific patched version number is not provided in the available intelligence data; users should consult the GitHub advisory and repository release notes for the fixed version and upgrade the praisonaiagents package via pip. As an interim mitigation, disable or restrict access to the run_python() function and any API endpoints that expose code execution capabilities to untrusted users. Enable authentication controls by configuring AUTH_ENABLED=True and requiring valid authentication tokens for all Flask API server deployments. Implement input validation that rejects or safely handles shell metacharacters before any subprocess invocation, and consider refactoring the run_python() implementation to use subprocess.run() with shell=False and argument list arrays instead of shell string interpolation. Organizations unable to patch immediately should isolate PraisonAI deployments to trusted networks and audit all agent pipeline configurations to ensure user-controlled content cannot reach the vulnerable code path.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34937 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy