CVE-2026-34955
Published: 04 April 2026
Summary
CVE-2026-34955 is a high-severity OS Command Injection (CWE-78) vulnerability in Praison Praisonai. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents OS command injection in SubprocessSandbox by requiring comprehensive validation of command inputs beyond incomplete string-pattern blocklists.
Enforces least functionality in the sandbox by prohibiting shell=True usage and unneeded commands like sh or bash, avoiding reliance on flawed blocklists.
Provides robust process isolation for sandboxed subprocesses, mitigating escape attempts via injected commands even in STRICT or NETWORK_ISOLATED modes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
OS command injection via subprocess with shell=True and incomplete blocklist directly enables arbitrary Unix shell command execution (T1059.004) and facilitates privilege escalation given local low-priv access, scope change, and high CIA impacts (T1068).
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as…
more
standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.
Deeper analysisAI
CVE-2026-34955 is an OS command injection vulnerability (CWE-78) in PraisonAI, a multi-agent teams system. In versions prior to 4.5.97, the SubprocessSandbox component across all modes—BASIC, STRICT, and NETWORK_ISOLATED—invokes subprocess.run() with shell=True while relying exclusively on string-pattern matching for a blocklist of dangerous commands. This blocklist omits "sh" or "bash" as standalone executables, enabling sandbox escapes such as via "sh -c '<command>'" even in STRICT mode.
The vulnerability requires local access (AV:L), low attack complexity (AC:L), and low privileges (PR:L), with no user interaction needed (UI:N). Exploitation changes scope (S:C) and yields high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.8. A local attacker can thus bypass sandbox restrictions to execute arbitrary commands.
The vulnerability is patched in PraisonAI version 4.5.97. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q.
Details
- CWE(s)