GHSA-2763-CJ5R-C79M: CVE-2026-34935: Critical OS Command Injection in PraisonAI MCP Processing

CVE-2026-34935: Critical OS Command Injection in PraisonAI MCP Processing

Vulnerability ID: GHSA-2763-CJ5R-C79M
CVSS Score: 9.8
Published: 2026-04-08

PraisonAI versions prior to 4.5.69 are vulnerable to a critical OS Command Injection flaw. The vulnerability resides in the command-line interface processing of Model Context Protocol (MCP) server commands, allowing an attacker to execute arbitrary system commands via the --mcp parameter.

TL;DR

Unsanitized input in PraisonAI's --mcp CLI argument allows attackers to achieve arbitrary OS command execution. While patched in version 4.5.69 via an allowlist, the fix remains susceptible to LOLBin argument injection.

---

⚠️ Exploit Status: POC

Technical Details

• CWE ID: CWE-78
• Attack Vector: Network / CLI Input
• CVSS v3.1: 9.8 (Critical)
• EPSS Score: 0.00083
• Impact: Arbitrary Code Execution
• Exploit Status: Proof of Concept

Affected Systems

• PraisonAI CLI
• PraisonAI Agents Framework
• praisonai: >= 4.5.15, < 4.5.69 (Fixed in: 4.5.69)
• praisonaiagents: <= 1.5.68 (Fixed in: 1.5.69)

Code Analysis

Commit: 47bff65

Implemented allowlist validation for MCP server command execution

Exploit Details

• GitHub Security Advisory: Proof of Concept demonstrating argument injection via the --mcp parameter.

Mitigation Strategies

• Update PraisonAI to version 4.5.69 or higher
• Update praisonaiagents to version 1.5.69 or higher
• Implement strict upstream input validation before CLI invocation
• Apply principle of least privilege using dedicated service accounts
• Deploy AppArmor or SELinux profiles to restrict child process creation

Remediation Steps:

1. Identify all systems running PraisonAI and determine the installed version.
2. Execute pip install --upgrade praisonai>=4.5.69 praisonaiagents>=1.5.69 in the affected environments.
3. Audit any wrapper applications or APIs that construct CLI calls to ensure user input cannot inject into the --mcp flag.
4. Implement monitoring for unexpected process lineage, specifically bash or sh spawned by the PraisonAI process.

References

• GitHub Advisory: GHSA-2763-CJ5R-C79M
• GitHub Advisory: GHSA-9gm9-c8mq-vq7m
• NVD Vulnerability Detail: CVE-2026-34935
• PraisonAI Fix Commit
• TheHackerWire: Technical Analysis & Related Sandbox Bypass

---

Read the full report for GHSA-2763-CJ5R-C79M on our website for more details including interactive diagrams and full exploit analysis.