Cyber Resilience

CVE-2026-34935

CriticalPublic PoCRCE

Published: 03 April 2026

Published
03 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0082 52.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34935 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 47.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34935 is a critical command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system. It affects versions 4.5.15 through 4.5.68, where the --mcp CLI argument is passed directly to shlex.split() and forwarded unsanitized through the call chain to anyio.open_process(), enabling arbitrary OS command execution as the process user.

Remote attackers require no privileges or user interaction to exploit this vulnerability, which has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a malicious --mcp argument, attackers can execute arbitrary commands on the host system with the privileges of the PraisonAI process, potentially achieving full compromise including data exfiltration, persistence, or further lateral movement.

The vulnerability has been patched in PraisonAI version 4.5.69. Mitigation details are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m and the patching commit at https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c.

Given PraisonAI's role as a multi-agent teams system, this flaw underscores command injection risks in AI/ML development tools that rely on CLI interfaces for process spawning.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop,…

more

allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
Why these techniques?

The vulnerability enables unauthenticated remote command injection (T1190: Exploit Public-Facing Application) leading to arbitrary OS command execution (T1059: Command and Scripting Interpreter).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40088Same product: Praison Praisonai
CVE-2026-41497Same product: Praison Praisonai
CVE-2026-34955Same product: Praison Praisonai
CVE-2026-34953Same product: Praison Praisonai
CVE-2026-44336Same product: Praison Praisonai
CVE-2026-40116Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai

Affected Assets

praison
praisonai
4.5.15 — 4.5.69

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted CLI inputs like the --mcp argument to block command injection via unsanitized shlex.split() processing.

prevent

Mandates identification and remediation of flaws such as this command injection vulnerability by patching to PraisonAI version 4.5.69.

prevent

Enforces least privilege on the PraisonAI process to restrict the scope and impact of arbitrary OS commands executed via injection.

References