PYSEC-2026-471
Vulnerability from pysec - Published: 2026-06-29 11:50 - Updated: 2026-06-29 12:05
VLAI
Details
Summary
The --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.
Details
cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/__init__.py:253 (sink)
# source
parts = shlex.split(command)
# hop
cmd, args, env = self.parse_mcp_command(command, env_vars)
self.server_params = StdioServerParameters(command=cmd, args=arguments)
# sink
process = await anyio.open_process([command, *args])
Fixed in commit 47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:
ALLOWED_COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED_COMMANDS:
raise ValueError(f"Disallowed command: {cmd}")
PoC
```python
tested on: praisonai==4.5.48
install: pip install praisonai==4.5.48
run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
verify: cat /tmp/pwned
expected output: uid=1000(...) gid=1000(...) groups=1000(...)
```
Impact
Any deployment where the --mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.
Severity
9.8 (Critical)
Impacted products
| Name | purl | praisonai |
|---|
Aliases
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.68"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "4.5.15"
},
{
"fixed": "4.5.69"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"4.5.15",
"4.5.16",
"4.5.18",
"4.5.19",
"4.5.20",
"4.5.21",
"4.5.22",
"4.5.23",
"4.5.24",
"4.5.25",
"4.5.26",
"4.5.27",
"4.5.28",
"4.5.29",
"4.5.30",
"4.5.31",
"4.5.32",
"4.5.33",
"4.5.34",
"4.5.35",
"4.5.36",
"4.5.37",
"4.5.38",
"4.5.39",
"4.5.40",
"4.5.41",
"4.5.42",
"4.5.43",
"4.5.44",
"4.5.45",
"4.5.46",
"4.5.48",
"4.5.49",
"4.5.51",
"4.5.52",
"4.5.54",
"4.5.55",
"4.5.56",
"4.5.57",
"4.5.58",
"4.5.59",
"4.5.60",
"4.5.62",
"4.5.63",
"4.5.64",
"4.5.65",
"4.5.67",
"4.5.68"
]
}
],
"aliases": [
"CVE-2026-34935",
"GHSA-9gm9-c8mq-vq7m"
],
"details": "### Summary\n\nThe `--mcp` CLI argument is passed directly to `shlex.split()` and forwarded through the call chain to `anyio.open_process()` with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.\n\n### Details\n\n`cli/features/mcp.py:61` (source) -\u003e `praisonaiagents/mcp/mcp.py:345` (hop) -\u003e `mcp/client/stdio/__init__.py:253` (sink)\n```python\n# source\nparts = shlex.split(command)\n\n# hop\ncmd, args, env = self.parse_mcp_command(command, env_vars)\nself.server_params = StdioServerParameters(command=cmd, args=arguments)\n \n# sink\nprocess = await anyio.open_process([command, *args])\n\n```\n\nFixed in commit `47bff65413beaa3c21bf633c1fae4e684348368c` (v4.5.69) by introducing a command allowlist:\n```python\nALLOWED_COMMANDS = {\"npx\", \"uvx\", \"node\", \"python\"}\nif cmd not in ALLOWED_COMMANDS:\n raise ValueError(f\"Disallowed command: {cmd}\")\n```\n\n### PoC\n```python\n# tested on: praisonai==4.5.48\n# install: pip install praisonai==4.5.48\n# run: praisonai --mcp \"bash -c \u0027id \u003e /tmp/pwned\u0027\"\n# verify: cat /tmp/pwned\n# expected output: uid=1000(...) gid=1000(...) groups=1000(...)\n ```\n\n### Impact\n\nAny deployment where the `--mcp` argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.",
"id": "PYSEC-2026-471",
"modified": "2026-06-29T12:05:42.503846Z",
"published": "2026-06-29T11:50:46.601872Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9gm9-c8mq-vq7m"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34935"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/commit/47bff65413beaa3c21bf633c1fae4e684348368c"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/praisonai"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-9gm9-c8mq-vq7m"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…