CVE-2026-34935
Command Injection in PraisonAI CLI Allows Arbitrary Code Execution
Publication date: 2026-04-03
Last updated on: 2026-04-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | From 4.5.15 (inc) to 4.5.69 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PraisonAI, a multi-agent teams system, specifically in versions from 4.5.15 up to but not including 4.5.69. The issue arises because the --mcp command line argument is passed directly to the shlex.split() function and then forwarded to anyio.open_process() without any validation, allowlist checks, or sanitization. This lack of input validation allows an attacker to execute arbitrary operating system commands with the privileges of the process user.
How can this vulnerability impact me? :
The vulnerability can have severe impacts because it allows an attacker to execute arbitrary OS commands on the affected system with the same privileges as the process user running PraisonAI. This can lead to full system compromise, including unauthorized data access, data modification, service disruption, or further exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in PraisonAI versions from 4.5.15 to before 4.5.69 allows arbitrary OS command execution due to unsafe handling of the --mcp CLI argument.
To mitigate this vulnerability immediately, upgrade PraisonAI to version 4.5.69 or later where the issue has been patched.