CVE-2026-34935
CRITICALPraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
Title source: cnaDescription
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m
X_Refsource_Misc x_refsource_misc
https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c
Scores
CVSS v3
9.8
EPSS
0.0082
EPSS Percentile
52.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-78
Status
published
Products (3)
MervinPraison/PraisonAI
>= 4.5.15, < 4.5.69
praison/praisonai
4.5.15 - 4.5.69
pypi/praisonai
4.5.15 - 4.5.69PyPI
Published
Apr 03, 2026
Tracked Since
Apr 04, 2026