CVE-2026-34935
Published: 03 April 2026
Summary
CVE-2026-34935 is a critical-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of untrusted CLI inputs like the --mcp argument to block command injection via unsanitized shlex.split() processing.
Mandates identification and remediation of flaws such as this command injection vulnerability by patching to PraisonAI version 4.5.69.
Enforces least privilege on the PraisonAI process to restrict the scope and impact of arbitrary OS commands executed via injection.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables unauthenticated remote command injection (T1190: Exploit Public-Facing Application) leading to arbitrary OS command execution (T1059: Command and Scripting Interpreter).
NVD Description
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop,…
more
allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.
Deeper analysisAI
CVE-2026-34935 is a critical command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system. It affects versions 4.5.15 through 4.5.68, where the --mcp CLI argument is passed directly to shlex.split() and forwarded unsanitized through the call chain to anyio.open_process(), enabling arbitrary OS command execution as the process user.
Remote attackers require no privileges or user interaction to exploit this vulnerability, which has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). By supplying a malicious --mcp argument, attackers can execute arbitrary commands on the host system with the privileges of the PraisonAI process, potentially achieving full compromise including data exfiltration, persistence, or further lateral movement.
The vulnerability has been patched in PraisonAI version 4.5.69. Mitigation details are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m and the patching commit at https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c.
Given PraisonAI's role as a multi-agent teams system, this flaw underscores command injection risks in AI/ML development tools that rely on CLI interfaces for process spawning.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp