Python
CVE-2026-34955
HIGH
Severity by source
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'.
Details
sandbox_executor.py:179 (source) -> sandbox_executor.py:326 (sink)
# source -- string-pattern blocklist, sh and bash not in blocked_commands
cmd_name = Path(parts[0]).name
if cmd_name in self.policy.blocked_commands:
# sh, bash not blocked
raise SecurityError(...)
dangerous_patterns = [
("| sh", ...),
# requires space -- "id|bash" evades this
("| bash", ...),
# requires space
]
# sink -- shell=True spawns /bin/sh regardless of sandbox mode
result = subprocess.run(
command,
shell=True,
...
)PoC
# tested on: praisonai==4.5.87 (source install)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.cli.features.sandbox_executor import SubprocessSandbox, SandboxPolicy, SandboxMode
policy = SandboxPolicy.for_mode(SandboxMode.STRICT)
sandbox = SubprocessSandbox(policy=policy)
result = sandbox.execute("sh -c 'id'")
print(result.stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...Impact
Users who deploy with --sandbox strict have no meaningful OS-level isolation. Any command blocked by the policy (curl, wget, nc, ssh) is trivially reachable via sh -c '<blocked_command>'. Combined with agent prompt injection, an attacker can escape the sandbox and reach the network, filesystem, and cloud metadata services.
Suggested Fix
import shlex
result = subprocess.run(
shlex.split(command),
shell=False,
cwd=cwd,
env=env,
capture_output=capture_output,
text=True,
timeout=timeout
)AnalysisAI
Command injection in PraisonAI's SubprocessSandbox allows authenticated local users to bypass all sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) and execute arbitrary OS commands. The vulnerability stems from shell=True usage combined with inadequate blocklist filtering that omits 'sh' and 'bash' executables, enabling trivial escape via 'sh -c' wrapper. CVSS 8.8 (High) reflects scope change and complete CIA triad compromise. No active exploitation confirmed (not in CISA KEV), but GitHub advisor
Technical ContextAI
PraisonAI (pkg:pip/praisonai) implements a Python-based subprocess sandbox intended to restrict command execution in AI agent environments. The root cause is CWE-78 (OS Command Injection) manifesting through unsafe subprocess invocation patterns. The code calls subprocess.run() with shell=True, which spawns /bin/sh to interpret the command string, then attempts security enforcement via string-pattern matching against a blocklist. The blocklist checks Path(parts[0]).name against policy.blocked_commands and scans for patterns like '| sh' and '| bash' (requiring whitespace delimiters). However, standalone 'sh' and 'bash' executables are not blocked, and the space-dependent regex fails against compact syntax like 'id|bash'. This creates a trivial bypass: wrapping any blocked command in 'sh -c' causes the policy check to see only 'sh' (not blocked), while the shell interpreter executes the wrapped payload with full privileges. The vulnerability exists across all three sandbox modes (BASIC/STRICT/NETWORK_ISOLATED), negating the security model entirely. The shell=True parameter is the critical enabler, as it transforms a Python string into a Bourne shell command with full metacharacter interpretation.
RemediationAI
Upgrade to a patched version of PraisonAI once available from the upstream repository at https://github.com/MervinPraison/PraisonAI. Monitor the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q for release announcements. The recommended code-level fix is to replace subprocess.run(command, shell=True, ...) with subprocess.run(shlex.split(command), shell=False, ...) to disable shell interpretation and prevent metacharacter injection. Until a vendor patch is released, implement compensating controls: disable sandbox mode entirely and rely on OS-level isolation (containers, VMs, seccomp-bpf, or AppArmor/SELinux profiles), restrict PraisonAI to trusted prompts only with no user-supplied tool definitions, or fork the repository and apply the shlex.split patch manually. Do not rely on adding 'sh' and 'bash' to the blocklist as a workaround - the underlying shell=True pattern remains exploitable through other interpreters (python -c, perl -e, etc). Network segmentation should be enforced at infrastructure level to prevent exfiltration even if sandbox escape occurs.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-r4f2-3m54-pp7q