Description
PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9.
Published: 2026-05-08
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI’s MCP command parser contains a flaw because it neither enforces a command allowlist nor validates arguments before executing them via subprocess. This omission lets an attacker supply arbitrary executable names and inline code‑execution flags such as bash, python, or /bin/sh, causing those commands to run on the host. The result is full compromise of the affected system, allowing execution of malicious code and potential disclosure, modification, or destruction of data, and service disruption.

Affected Systems

MervinPraison PraisonAI implementations whose versions precede 4.6.9 are affected. Any deployment of this multi‑agent team system running an unpatched build is vulnerable and should be considered at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating critical severity. While EPSS data is not available and the issue is not listed in CISA KEV, the flaw permits straightforward exploitation once an attacker can reach the MCP command interface. Based on the description, it is inferred that the likely attack vector is network access to the MCP command interface, or local access by privileged users. If that interface is exposed to the network or accessible by privileged users, the risk is high and the attacker can easily trigger arbitrary code execution.

Generated by OpenCVE AI on May 8, 2026 at 19:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.6.9 or later, which introduces proper command allowlisting and argument validation.
  • Limit network access to the MCP command interface so that only trusted administrators can send commands.
  • Regularly audit logs for unexpected MCP command activity to detect potential abuse.

Generated by OpenCVE AI on May 8, 2026 at 19:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-9qhq-v63v-fv3j PraisonAI has an incomplete fix for CVE-2026-34935 - OS Command Injection
History

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Fri, 08 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to version 4.6.9, the fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to parse_mcp_command(), allowing arbitrary executables like bash, python, or /bin/sh with inline code execution flags to pass through to subprocess execution. This issue has been patched in version 4.6.9.
Title Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
Weaknesses CWE-77
CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T14:47:27.656Z

Reserved: 2026-04-20T16:14:19.009Z

Link: CVE-2026-41497

cve-icon Vulnrichment

Updated: 2026-05-08T14:46:46.723Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-08T14:16:33.843

Modified: 2026-05-08T19:10:22.173

Link: CVE-2026-41497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:45:05Z

Weaknesses