CVE-2026-34955 Overview
A critical command injection vulnerability exists in PraisonAI, a multi-agent teams system, prior to version 4.5.97. The SubprocessSandbox component in all security modes (BASIC, STRICT, NETWORK_ISOLATED) is vulnerable to sandbox escape due to an incomplete blocklist implementation. The sandbox calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands, but fails to include sh or bash as standalone executables in its blocklist. This allows attackers to trivially escape the sandbox in STRICT mode by executing commands via sh -c '<command>'.
Critical Impact
Local attackers with low privileges can escape the sandbox and execute arbitrary commands with elevated privileges, potentially compromising confidentiality, integrity, and availability of the affected system.
Affected Products
- PraisonAI versions prior to 4.5.97
- SubprocessSandbox component (BASIC mode)
- SubprocessSandbox component (STRICT mode)
- SubprocessSandbox component (NETWORK_ISOLATED mode)
Discovery Timeline
- April 4, 2026 - CVE CVE-2026-34955 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2026-34955
Vulnerability Analysis
This vulnerability is classified as CWE-78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection). The flaw stems from a fundamental design weakness in the SubprocessSandbox security mechanism.
The SubprocessSandbox component was designed to provide isolated execution environments at varying security levels. However, the implementation relies on a blocklist approach to filter dangerous commands before executing them via Python's subprocess.run() function with shell=True. This approach is inherently flawed as it attempts to enumerate all possible dangerous commands rather than using an allowlist of permitted operations.
The critical oversight is that while the blocklist may include common dangerous commands, it fails to include shell interpreters like sh and bash as standalone executables. An attacker can leverage these interpreters to execute arbitrary commands that would otherwise be blocked.
Root Cause
The root cause is twofold:
Insecure subprocess invocation: Using subprocess.run() with shell=True enables shell interpretation of the command string, opening the door to shell metacharacter abuse and command chaining.
Incomplete blocklist: The string-pattern matching blocklist fails to account for shell interpreters (sh, bash) as standalone executables. This is a common pitfall of blocklist-based security approaches, which can never be comprehensive against creative attackers.
The combination of these issues means that even in STRICT mode, the sandbox provides a false sense of security while being trivially bypassable.
Attack Vector
The attack vector requires local access with low privileges. An attacker interacting with PraisonAI's multi-agent system can craft input that invokes the SubprocessSandbox. By using the pattern sh -c '<malicious_command>', the attacker bypasses the blocklist entirely since sh is not filtered. The shell interpreter then executes the inner command, which could include any blocked commands or arbitrary system operations.
For example, if the blocklist blocks rm, cat, or wget directly, an attacker can still execute these commands by wrapping them: sh -c 'rm -rf /important/data' or bash -c 'cat /etc/passwd'. This effectively renders the sandbox protections useless.
The scope change indicated in the CVSS assessment means that a successful exploit can impact resources beyond the vulnerable component, potentially affecting the entire host system.
Detection Methods for CVE-2026-34955
Indicators of Compromise
- Unusual process trees showing sh or bash spawned as child processes of PraisonAI components
- Command line arguments containing sh -c or bash -c patterns in process execution logs
- Unexpected file system modifications or network connections originating from PraisonAI processes
- Suspicious activity in system logs correlating with PraisonAI agent execution times
Detection Strategies
- Monitor process execution for subprocess.run() calls with shell=True that spawn shell interpreters
- Implement endpoint detection rules to alert on sh -c or bash -c command patterns executed by Python processes
- Review application logs for attempted command injections or unusual input patterns
- Deploy runtime application self-protection (RASP) solutions to detect sandbox escape attempts
Monitoring Recommendations
- Enable detailed audit logging for all subprocess calls within PraisonAI deployments
- Configure SentinelOne Singularity to detect command injection patterns and sandbox escape techniques
- Establish baselines for normal PraisonAI process behavior and alert on deviations
- Implement file integrity monitoring on critical system directories
How to Mitigate CVE-2026-34955
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.97 or later immediately
- Audit all PraisonAI deployments to identify vulnerable instances running versions prior to 4.5.97
- Review logs for any evidence of exploitation attempts using sh -c or bash -c patterns
- Restrict local access to systems running PraisonAI to trusted users only
Patch Information
The vulnerability has been patched in PraisonAI version 4.5.97. Users should upgrade to this version or later to remediate the vulnerability. For detailed information about the fix, refer to the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, consider disabling or isolating the SubprocessSandbox functionality
- Implement additional input validation at the application layer before commands reach the sandbox
- Deploy network segmentation to limit the impact of potential sandbox escapes
- Use container isolation (Docker, Podman) to add an additional security boundary around PraisonAI deployments
# Example: Running PraisonAI in an isolated container as a temporary mitigation
docker run --rm -it \
--security-opt=no-new-privileges \
--cap-drop=ALL \
--read-only \
praisonai:4.5.97
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
