Cyber Resilience

CVE-2026-35002

CriticalPublic PoCRCE

Published: 02 April 2026

Published
02 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0085 53.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-35002 is a critical-severity Eval Injection (CWE-95) vulnerability in Agno Agno. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 46.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-35002 is an arbitrary code execution vulnerability (CWE-95) in Agno versions prior to 2.3.24. The flaw exists in the model execution component, where the field_type parameter passed in a FunctionCall is directly evaluated using Python's eval() function, enabling attackers to inject and execute arbitrary Python code.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity with network accessibility, low attack complexity, and no requirements for privileges or user interaction. Unauthenticated remote attackers can exploit it by manipulating the field_type value in a FunctionCall, achieving full remote code execution on the target system with high impacts to confidentiality, integrity, and availability.

Mitigation is addressed in Agno version 2.3.24, as evidenced by the release tag and the associated fixing commit. Further technical details on the field_type eval injection and exploitation are available in the VulnCheck advisory.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Agno versions prior to 2.3.24 contain an arbitrary code execution vulnerability in the model execution component that allows attackers to execute arbitrary Python code by manipulating the field_type parameter passed to eval(). Attackers can influence the field_type value in a…

more

FunctionCall to achieve remote code execution.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
Why these techniques?

CVE enables unauthenticated remote code execution in a public-facing application via Python eval() injection, directly mapping to exploitation of public-facing apps and Python interpreter abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-0868Shared CWE-95
CVE-2026-28370Shared CWE-95
CVE-2026-44128Shared CWE-95
CVE-2026-33618Shared CWE-95
CVE-2013-10051Shared CWE-95
CVE-2025-8420Shared CWE-95
CVE-2026-29091Shared CWE-95
CVE-2026-4001Shared CWE-95
CVE-2024-10633Shared CWE-95
CVE-2025-68271Shared CWE-95

Affected Assets

agno
agno
≤ 2.3.24

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of the field_type parameter to block malicious Python code injection into the eval() function.

prevent

Ensures timely identification, reporting, and patching of the arbitrary code execution flaw as fixed in Agno 2.3.24.

detect

Provides vulnerability scanning to detect the field_type eval injection vulnerability for prioritization and remediation.

References