CVE-2026-34937 - Vulnerability Details

- PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

Description

PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. This issue has been patched in version 1.5.90.

Published: 2026-04-03

Score: 7.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PraisonAI's run_python() function constructs a shell command by directly interpolating potentially untrusted Python code into a string passed to subprocess.run with shell=True. The escape routine only handles backslashes and double quotes, leaving $() and backtick substitutions untouched. An attacker can inject these shell substitutions to trigger arbitrary operating system commands before Python even starts, thereby achieving complete code execution on the host where the agent runs. The vulnerability is scored CVSS 7.8, indicating a high impact on confidentiality, integrity, and availability.

Affected Systems

The affected product is PraisonAI from MervinPraison. Any installation running a version earlier than 1.5.90 is vulnerable. The issue has been fixed by upgrading to version 1.5.90 or later.

Risk and Exploitability

Although the exploitation probability (EPSS) is less than 1% and the vulnerability is not listed in the CISA KEV catalog, the nature of the flaw—arbitrary command execution—makes it a serious threat. An attacker only needs to supply malicious code to run_python, which, if interpreted by the vulnerable agent, will run arbitrary OS commands. The risk is considerable, especially in environments where PraisonAI agents have elevated privileges or handle sensitive data.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`< 1.5.90`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mervinpraison

Praisonai

100%

Version	Status	Scheme	Platform
`[0,1.5.90)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the vendor-provided update to PraisonAI version 1.5.90 or newer.

Generated by OpenCVE AI on April 14, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-w37c-qqfp-c67f	PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w37c-qqfp-c67f

History

Tue, 14 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonaiagents
CPEs		cpe:2.3:a:praison:praisonaiagents::::::::
Vendors & Products		Praison Praison praisonaiagents

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mervinpraison Mervinpraison praisonai
Vendors & Products		Mervinpraison Mervinpraison praisonai

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 04 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. Prior to version 1.5.90, run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. This issue has been patched in version 1.5.90.
Title		PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
Weaknesses		CWE-78
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-w37c-qqfp-c67f
Metrics		cvssV3_1 `{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Mervinpraison Praisonai

Praison Praisonaiagents

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T22:50:48.913Z

Updated: 2026-04-06T16:08:09.657Z

Reserved: 2026-03-31T17:27:08.660Z

Link: CVE-2026-34937

Vulnrichment

Updated: 2026-04-06T16:07:59.743Z

NVD

Status : Analyzed

Published: 2026-04-03T23:17:06.020

Modified: 2026-04-14T18:09:51.993

Link: CVE-2026-34937

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object