CVE-2026-34955

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.97

Description PraisonAI's SubprocessSandbox in all modes (BASIC, STRICT, NETWORK ISOLATED) utilizes subprocess.run() with shell=True and relies on string-pattern matching for command blocking. The blocklist does not include sh or bash executables, enabling sandbox escape in STRICT mode via sh -c '<command>'. This allows attackers to bypass OS-level isolation and potentially access the network, filesystem, and cloud metadata services, especially when combined with agent prompt injection. The vulnerable code is located in sandbox executor.py, specifically lines 179 and 326. The issue stems from the lack of blocking sh and bash in the blocked commands list and the use of shell=True which spawns /bin/sh.

Recommendations Update to version 4.5.97 or later to address the vulnerability. As a temporary workaround, avoid using the --sandbox strict option. Consider using shlex.split() with shell=False in the subprocess.run() call to prevent shell injection.