CVE-2026-34955 - Vulnerability Details

- PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.

Published: 2026-04-03

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The SubprocessSandbox component uses subprocess.run(..., shell=True) and relies on a string‑pattern blocklist that excludes sh or bash when invoked as standalone executables. This omission allows an attacker to execute arbitrary host commands such as sh -c '<command>' in STRICT mode. Based on the description, it is inferred that this capability permits the attacker to run any command on the host, potentially compromising confidentiality, integrity, and availability.

Affected Systems

The flaw exists in PraisonAI from MervinPraison. All releases older than version 4.5.97 are vulnerable; the issue is fixed in version 4.5.97 and later.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, while an EPSS score of less than 1 % implies that exploitation is currently unlikely on a broad scale. The vulnerability is identified as CWE‑78 (OS Command Injection). The likely attack vector is via an attacker supplying a malicious command string to the sandbox’s subprocess call; this inference comes from the description that the escape can be achieved with sh -c '<command>'. Therefore, the risk is significant if the attacker can influence the sandbox input or has local access to the environment.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`< 4.5.97`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mervinpraison

Praisonai

100%

Version	Status	Scheme	Platform
`[0,4.5.97)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade PraisonAI to version 4.5.97 or newer.
If unable to upgrade, disable the use of shell=True in SubprocessSandbox.
Ensure sh and bash are excluded from any custom blocklists and monitor subprocess activity for suspicious commands.

Generated by OpenCVE AI on April 14, 2026 at 21:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r4f2-3m54-pp7q	PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00016.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q

History

Tue, 14 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonai
CPEs		cpe:2.3:a:praison:praisonai::::::::
Vendors & Products		Praison Praison praisonai

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mervinpraison Mervinpraison praisonai
Vendors & Products		Mervinpraison Mervinpraison praisonai

Mon, 06 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Sat, 04 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.
Title		PraisonAI: Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
Weaknesses		CWE-78
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-r4f2-3m54-pp7q
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}`

Subscriptions

Mervinpraison Praisonai

Praison Praisonai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-03T23:04:25.792Z

Updated: 2026-04-06T19:06:17.563Z

Reserved: 2026-03-31T17:27:08.662Z

Link: CVE-2026-34955

Vulnrichment

Updated: 2026-04-06T19:06:13.697Z

NVD

Status : Analyzed

Published: 2026-04-04T00:16:19.370

Modified: 2026-04-14T18:56:02.767

Link: CVE-2026-34955

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T16:30:09Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object