Python
CVE-2026-34937
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.
Details
execute_command.py:290 (source) -> execute_command.py:297 (hop) -> execute_command.py:310 (sink)
# source -- user-controlled code argument
def run_python(code: str, cwd=None, timeout=60):
# hop -- incomplete escaping, $ and () not handled
escaped_code = code.replace('\\', '\\\\').replace('"', '\\"')
command = f'{python_cmd} -c "{escaped_code}"'
# sink -- shell=True expands $() before python3 runs
return execute_command(command=command, cwd=cwd, timeout=timeout)
# execute_command calls subprocess.run(command, shell=True, ...)PoC
# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute_command import run_python
result = run_python(code='$(id > /tmp/injected)')
print(result)
# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...Impact
Any agent pipeline or API consumer that passes user or task-supplied content to run_python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH_ENABLED = False by default when no token is configured.
AnalysisAI
Command injection in PraisonAI's run_python() function allows authenticated local attackers to execute arbitrary operating system commands with the privileges of the application process. The vulnerability stems from incomplete input sanitization that fails to escape shell metacharacters ($() and backticks) before passing user-controlled code to subprocess.run() with shell=True. Attackers with low-privilege local access can exploit this to achieve full system compromise (confidentiality, integrity, and availability impact rated High). Proof-of-concept code demonstrates successful command injection via the praisonaiagents Python package. No active exploitation confirmed via CISA KEV at time of analysis, but publicly available exploit code exists in the GitHub security advisory.
Technical ContextAI
PraisonAI is a Python-based AI agent framework (distributed via PyPI as praisonaiagents) that provides code execution capabilities for autonomous agents. The vulnerable run_python() function in execute_command.py constructs shell commands by embedding user input into a python3 -c "<code>" string pattern. The sanitization logic only escapes backslashes and double quotes, but fails to neutralize POSIX shell command substitution operators like $() and backticks. When this malformed command string reaches subprocess.run() with shell=True, the underlying shell (typically bash or sh) processes the substitution operators before Python is invoked, resulting in CWE-78 (OS Command Injection). The vulnerability is compounded by the framework's auto-generated Flask API server deploying with AUTH_ENABLED=False by default when no authentication token is configured, potentially exposing the run_python() endpoint to indirect prompt injection attacks where malicious instructions embedded in documents or external data sources trigger the vulnerable code path during agent execution workflows.
RemediationAI
Organizations should immediately review PraisonAI deployments and apply available patches per the vendor advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w37c-qqfp-c67f. The specific patched version number is not provided in the available intelligence data; users should consult the GitHub advisory and repository release notes for the fixed version and upgrade the praisonaiagents package via pip. As an interim mitigation, disable or restrict access to the run_python() function and any API endpoints that expose code execution capabilities to untrusted users. Enable authentication controls by configuring AUTH_ENABLED=True and requiring valid authentication tokens for all Flask API server deployments. Implement input validation that rejects or safely handles shell metacharacters before any subprocess invocation, and consider refactoring the run_python() implementation to use subprocess.run() with shell=False and argument list arrays instead of shell string interpolation. Organizations unable to patch immediately should isolate PraisonAI deployments to trusted networks and audit all agent pipeline configurations to ensure user-controlled content cannot reach the vulnerable code path.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-w37c-qqfp-c67f