CVE-2026-34938
Published: 03 April 2026
Summary
CVE-2026-34938 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Praison Praisonaiagents. Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SC-44 (Detonation Chambers).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of identified flaws, such as the sandbox bypass in execute_code(), to prevent arbitrary OS command execution on the host.
Provides detonation chambers for isolated execution and monitoring of potentially malicious code like attacker-controlled Python, preventing sandbox escapes to the host.
Enforces process isolation to confine untrusted code execution within secure domains, mitigating bypasses that allow host OS command execution.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote unauthenticated sandbox bypass in a network-accessible Python-based application enables exploitation of a public-facing application (T1190) leading to arbitrary code execution via Python interpreter (T1059.006).
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving…
more
arbitrary OS command execution on the host. This issue has been patched in version 1.5.90.
Deeper analysisAI
CVE-2026-34938 is a critical sandbox bypass vulnerability in PraisonAI, a multi-agent teams system. Prior to version 1.5.90, the execute_code() function in the praisonai-agents component executes attacker-controlled Python code within a three-layer sandbox. This protection can be fully circumvented by passing a string subclass with an overridden startswith() method to the _safe_getattr wrapper, resulting in arbitrary OS command execution on the host system. The vulnerability is associated with CWE-693 and carries a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
A remote, unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting malicious input that triggers the sandbox bypass, the attacker achieves full remote code execution on the host, potentially compromising confidentiality, integrity, and availability across the affected scope.
The vulnerability has been patched in PraisonAI version 1.5.90. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294.
Details
- CWE(s)