CVE-2026-34937
Published: 03 April 2026
Summary
CVE-2026-34937 is a high-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonaiagents. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 9.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection by requiring validation and sanitization of user-controlled code before interpolation into shell commands executed via subprocess.run with shell=True.
Requires timely remediation of the specific software flaw enabling command injection through inadequate escaping of shell metacharacters like $() and backticks.
Mitigates impact of successful exploitation by enforcing least privilege on the PraisonAI process, limiting privileges available for injected OS commands.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OS command injection in run_python() via insufficient escaping of shell metacharacters ($() and backticks) in a subprocess.run(shell=True) call directly enables arbitrary Unix shell command execution (T1059.004). As a local low-privilege attacker can leverage this to run commands with the PraisonAI process privileges (potentially elevated), it also facilitates T1068 for privilege escalation.
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ",…
more
leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. This issue has been patched in version 1.5.90.
Deeper analysisAI
CVE-2026-34937 is an OS command injection vulnerability (CWE-78) in PraisonAI, an open-source multi-agent teams system. The issue affects versions prior to 1.5.90 and resides in the run_python() function within the praisonai package. This function constructs a shell command by interpolating user-controlled code into a python3 -c "<code>" string and executes it via subprocess.run() with shell=True. The escaping logic only handles backslashes and double quotes, leaving command substitutions like $() and backticks unescaped, which enables arbitrary OS command execution on the host system before the Python interpreter is invoked. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A local attacker with low privileges can exploit this vulnerability by supplying malicious input to the run_python() function, such as code containing shell metacharacters like $(command) or backticks. No user interaction is required beyond providing the crafted input, and exploitation is straightforward due to low attack complexity. Successful exploitation grants the attacker the ability to execute arbitrary operating system commands with the privileges of the PraisonAI process, potentially leading to high-impact confidentiality, integrity, and availability violations, including full system compromise if the process runs with elevated privileges.
The GitHub security advisory (GHSA-w37c-qqfp-c67f) confirms that the vulnerability has been patched in PraisonAI version 1.5.90. Security practitioners should upgrade to this version or later to mitigate the issue, and review any deployments of earlier versions for potential exposure.
Details
- CWE(s)