CVE-2026-34955 Overview
CVE-2026-34955 is a command injection vulnerability in PraisonAI, a multi-agent teams system maintained by MervinPraison. Versions prior to 4.5.97 ship a SubprocessSandbox that invokes subprocess.run() with shell=True across all execution modes, including BASIC, STRICT, and NETWORK_ISOLATED. The sandbox relies on string-pattern matching to block dangerous commands but omits sh and bash as standalone executables from the blocklist. Attackers can escape the sandbox in STRICT mode by invoking sh -c '<command>', gaining arbitrary command execution on the host. The flaw maps to [CWE-78] OS Command Injection.
Critical Impact
Network-reachable attackers can execute arbitrary operating system commands on hosts running PraisonAI, bypassing all sandbox modes and compromising confidentiality, integrity, and availability.
Affected Products
- PraisonAI versions prior to 4.5.97
- SubprocessSandbox component in BASIC, STRICT, and NETWORK_ISOLATED modes
- Deployments exposing PraisonAI agent execution to untrusted input
Discovery Timeline
- 2026-04-04 - CVE-2026-34955 published to NVD
- 2026-04-14 - Last updated in NVD database
Technical Details for CVE-2026-34955
Vulnerability Analysis
The vulnerability resides in the SubprocessSandbox class, which is responsible for executing agent-generated commands under restricted policies. The sandbox invokes subprocess.run() with the shell=True argument, meaning the supplied command string is interpreted by the system shell rather than executed as a discrete argv list. To enforce restrictions, the sandbox compares the command string against a blocklist of dangerous binaries and patterns. This approach assumes the blocklist enumerates every shell interpreter available on the host.
The STRICT mode is intended to be the most restrictive policy, blocking destructive utilities and network commands. However, the blocklist does not enumerate sh or bash as standalone executables. An attacker supplying sh -c '<command>' passes the pattern check while spawning a new shell that executes any payload the attacker chooses. The same bypass succeeds in BASIC and NETWORK_ISOLATED modes.
Root Cause
The root cause is twofold. First, using shell=True exposes shell metacharacter parsing to untrusted input. Second, the deny-list design is incomplete and cannot enumerate every interpreter, alias, or path variant that yields shell execution. Allow-listing specific binaries with shell=False would eliminate the class of bypass entirely.
Attack Vector
Exploitation requires the attacker to influence the command string passed to SubprocessSandbox. In agentic deployments, this input is typically reachable through prompts, tool outputs, or upstream API calls processed by the agent. A payload of the form sh -c 'id; cat /etc/passwd' survives the blocklist and executes under the privileges of the PraisonAI process. From there, attackers can establish persistence, exfiltrate secrets, or pivot to adjacent systems.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-r4f2-3m54-pp7q for the maintainer's analysis.
Detection Methods for CVE-2026-34955
Indicators of Compromise
- Process trees showing the PraisonAI Python interpreter spawning sh -c or bash -c child processes with attacker-controlled argument strings.
- Outbound network connections from the PraisonAI host to unexpected destinations following agent task execution.
- Filesystem writes under PraisonAI working directories containing reconnaissance output such as /etc/passwd contents or environment dumps.
Detection Strategies
- Hunt for child processes of PraisonAI where the command line matches sh -c or bash -c and was not initiated by an authorized operator.
- Inspect application logs for sandboxed command strings containing sh, bash, dash, or zsh tokens prior to version 4.5.97.
- Correlate agent prompt logs with subsequent subprocess executions to identify prompt-injected command payloads.
Monitoring Recommendations
- Enable verbose subprocess auditing on hosts running PraisonAI using auditd rules on execve syscalls.
- Forward agent execution telemetry and host process events to a centralized analytics platform for retroactive hunting.
- Alert on any PraisonAI-initiated network egress to non-allowlisted destinations, particularly when NETWORK_ISOLATED mode is configured.
How to Mitigate CVE-2026-34955
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.97 or later on all hosts.
- Audit agent prompts, tool definitions, and upstream inputs for evidence of sh -c or bash -c injection attempts.
- Rotate any credentials, API tokens, or signing keys accessible to the PraisonAI process if compromise is suspected.
Patch Information
The maintainer fixed the issue in PraisonAI 4.5.97. Review the GitHub Security Advisory GHSA-r4f2-3m54-pp7q for the patch details and release notes before upgrading production deployments.
Workarounds
- If immediate patching is not possible, disable the SubprocessSandbox execution path or restrict it to trusted operators only.
- Run PraisonAI inside an unprivileged container with a read-only filesystem and a strict egress policy to contain successful exploitation.
- Apply a host-level seccomp or AppArmor profile that denies execution of shell interpreters by the PraisonAI service account.
# Configuration example: upgrade PraisonAI to the patched release
pip install --upgrade 'praisonai>=4.5.97'
python -c "import praisonai; print(praisonai.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
