Cyber Resilience

CVE-2026-34955

HighPublic PoC

Published: 04 April 2026

Published
04 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0038 30.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34955 is a high-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-34955 is an OS command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system. In versions prior to 4.5.97, the SubprocessSandbox component across all modes—BASIC, STRICT, and NETWORK_ISOLATED—invokes subprocess.run() with shell=True while relying exclusively on string-pattern matching for a blocklist of dangerous commands. This blocklist omits "sh" or "bash" as standalone executables, enabling sandbox escapes such as via "sh -c '<command>'" even in STRICT mode.

The vulnerability requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N). Exploitation changes scope (S:C) and yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.8. A local attacker can thus bypass sandbox restrictions to execute arbitrary commands.

The vulnerability is patched in PraisonAI version 4.5.97. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as…

more

standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

OS command injection via subprocess with shell=True and incomplete blocklist directly enables arbitrary Unix shell command execution (T1059.004) and facilitates privilege escalation given local low-priv access, scope change, and high CIA impacts (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-40088Same product: Praison Praisonai
CVE-2026-34935Same product: Praison Praisonai
CVE-2026-41497Same product: Praison Praisonai
CVE-2026-40149Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-34936Same product: Praison Praisonai
CVE-2026-40113Same product: Praison Praisonai
CVE-2026-44340Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.97

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents OS command injection in SubprocessSandbox by requiring comprehensive validation of command inputs beyond incomplete string-pattern blocklists.

prevent

Enforces least functionality in the sandbox by prohibiting shell=True usage and unneeded commands like sh or bash, avoiding reliance on flawed blocklists.

prevent

Provides robust process isolation for sandboxed subprocesses, mitigating escape attempts via injected commands even in STRICT or NETWORK_ISOLATED modes.

References