Skip to main content

Python CVE-2026-34955

HIGH
OS Command Injection (CWE-78)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-r4f2-3m54-pp7q
8.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.8 HIGH
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:26 nvd
HIGH 8.8

DescriptionGitHub Advisory

Summary

SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'.

Details

sandbox_executor.py:179 (source) -> sandbox_executor.py:326 (sink)

python
# source -- string-pattern blocklist, sh and bash not in blocked_commands
cmd_name = Path(parts[0]).name
if cmd_name in self.policy.blocked_commands:
# sh, bash not blocked
    raise SecurityError(...)
dangerous_patterns = [
    ("| sh",   ...),
# requires space -- "id|bash" evades this
    ("| bash", ...),
# requires space
]
# sink -- shell=True spawns /bin/sh regardless of sandbox mode
result = subprocess.run(
    command,
    shell=True,
    ...
)

PoC

python
# tested on: praisonai==4.5.87 (source install)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.cli.features.sandbox_executor import SubprocessSandbox, SandboxPolicy, SandboxMode

policy = SandboxPolicy.for_mode(SandboxMode.STRICT)
sandbox = SubprocessSandbox(policy=policy)

result = sandbox.execute("sh -c 'id'")
print(result.stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Users who deploy with --sandbox strict have no meaningful OS-level isolation. Any command blocked by the policy (curl, wget, nc, ssh) is trivially reachable via sh -c '<blocked_command>'. Combined with agent prompt injection, an attacker can escape the sandbox and reach the network, filesystem, and cloud metadata services.

Suggested Fix

python
import shlex

result = subprocess.run(
    shlex.split(command),
    shell=False,
    cwd=cwd,
    env=env,
    capture_output=capture_output,
    text=True,
    timeout=timeout
)

AnalysisAI

Command injection in PraisonAI's SubprocessSandbox allows authenticated local users to bypass all sandbox modes (BASIC, STRICT, NETWORK_ISOLATED) and execute arbitrary OS commands. The vulnerability stems from shell=True usage combined with inadequate blocklist filtering that omits 'sh' and 'bash' executables, enabling trivial escape via 'sh -c' wrapper. CVSS 8.8 (High) reflects scope change and complete CIA triad compromise. No active exploitation confirmed (not in CISA KEV), but GitHub advisor

Technical ContextAI

PraisonAI (pkg:pip/praisonai) implements a Python-based subprocess sandbox intended to restrict command execution in AI agent environments. The root cause is CWE-78 (OS Command Injection) manifesting through unsafe subprocess invocation patterns. The code calls subprocess.run() with shell=True, which spawns /bin/sh to interpret the command string, then attempts security enforcement via string-pattern matching against a blocklist. The blocklist checks Path(parts[0]).name against policy.blocked_commands and scans for patterns like '| sh' and '| bash' (requiring whitespace delimiters). However, standalone 'sh' and 'bash' executables are not blocked, and the space-dependent regex fails against compact syntax like 'id|bash'. This creates a trivial bypass: wrapping any blocked command in 'sh -c' causes the policy check to see only 'sh' (not blocked), while the shell interpreter executes the wrapped payload with full privileges. The vulnerability exists across all three sandbox modes (BASIC/STRICT/NETWORK_ISOLATED), negating the security model entirely. The shell=True parameter is the critical enabler, as it transforms a Python string into a Bourne shell command with full metacharacter interpretation.

RemediationAI

Upgrade to a patched version of PraisonAI once available from the upstream repository at https://github.com/MervinPraison/PraisonAI. Monitor the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q for release announcements. The recommended code-level fix is to replace subprocess.run(command, shell=True, ...) with subprocess.run(shlex.split(command), shell=False, ...) to disable shell interpretation and prevent metacharacter injection. Until a vendor patch is released, implement compensating controls: disable sandbox mode entirely and rely on OS-level isolation (containers, VMs, seccomp-bpf, or AppArmor/SELinux profiles), restrict PraisonAI to trusted prompts only with no user-supplied tool definitions, or fork the repository and apply the shlex.split patch manually. Do not rely on adding 'sh' and 'bash' to the blocklist as a workaround - the underlying shell=True pattern remains exploitable through other interpreters (python -c, perl -e, etc). Network segmentation should be enforced at infrastructure level to prevent exfiltration even if sandbox escape occurs.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy