CVE-2026-2256
Command Injection in ModelScope ms-agent Allows Arbitrary Execution
Publication date: 2026-03-02
Last updated on: 2026-03-03
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| modelscope | ms-agent | 1.5.2 |
| modelscope | ms-agent | to 1.6.0rc1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-2256 is a command injection vulnerability in ModelScope's MS-Agent framework, specifically affecting versions v1.6.0rc1 and earlier. It arises from improper sanitization of user-influenced input that is passed directly to a shell execution context within the Shell tool component."}, {'type': 'paragraph', 'content': "This flaw allows an attacker to inject arbitrary operating system commands through crafted prompt-derived input, bypassing security checks that attempt to block dangerous commands. The vulnerability exists because the security mechanism's blocklist misses interpreters like python3, nc (netcat), perl, ruby, and node, which attackers can leverage to execute arbitrary code."}, {'type': 'paragraph', 'content': 'A proof-of-concept demonstrates how an attacker can use Python 3 to establish a reverse shell, gaining full command execution capabilities with the privileges of the MS-Agent process.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts, including allowing an attacker to execute arbitrary commands on the host system with the privileges of the MS-Agent process.
Exploitation can lead to full host system compromise, enabling attackers to manipulate files, execute malicious scripts, or take control of the affected system.
Because the vulnerability bypasses security checks, attackers do not need direct shell access or operator interaction, increasing the risk of stealthy and automated attacks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "Detection of the CVE-2026-2256 vulnerability involves monitoring for exploitation attempts that leverage command injection through the MS-Agent's Shell tool. A practical approach is to observe unusual shell command executions originating from the MS-Agent process, especially those involving interpreters like python3, nc (netcat), perl, ruby, or node, which bypass the incomplete check_safe() function."}, {'type': 'paragraph', 'content': 'One can set up a netcat listener on a local port (e.g., port 1111) to detect reverse shell connections initiated by exploitation attempts. For example, running the command `nc -lvnp 1111` will listen for incoming connections that might be part of a proof-of-concept exploit.'}, {'type': 'paragraph', 'content': 'Additionally, inspecting the MS-Agent logs or monitoring the execution of the vulnerable shell.py script for suspicious input or commands can help detect exploitation.'}, {'type': 'list_item', 'content': 'Set up a netcat listener: `nc -lvnp 1111`'}, {'type': 'list_item', 'content': 'Monitor MS-Agent process for execution of interpreters like python3, nc, perl, ruby, or node.'}, {'type': 'list_item', 'content': 'Check logs or audit command executions related to `ms_agent/tools/shell/shell.py` for unusual or crafted inputs.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting or disabling the vulnerable Shell tool component within MS-Agent, especially the execution of commands via `ms_agent/tools/shell/shell.py`.
Since the vulnerability arises from improper input sanitization and an incomplete blocklist in the `check_safe()` function, applying patches or updates that fix this sanitization issue is critical once available.
In the meantime, limit the privileges of the MS-Agent process to minimize potential impact from exploitation.
Also, monitor and restrict network access to prevent reverse shell connections, for example by firewalling or disabling unnecessary inbound/outbound connections on ports like 1111.
If testing the PoC, ensure cleanup by removing any test directories created (e.g., `rm -rf /tmp/test_output`).