PT-2026-53548 · Pypi · Praisonai

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

The --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.

Details

cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/ init .py:253 (sink)
python
# source
parts = shlex.split(command)

# hop
cmd, args, env = self.parse mcp command(command, env vars)
self.server params = StdioServerParameters(command=cmd, args=arguments)
 
# sink
process = await anyio.open process([command, *args])
Fixed in commit 47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:
python
ALLOWED COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED COMMANDS:
  raise ValueError(f"Disallowed command: {cmd}")

PoC

python
# tested on: praisonai==4.5.48
# install: pip install praisonai==4.5.48
# run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
# verify: cat /tmp/pwned
# expected output: uid=1000(...) gid=1000(...) groups=1000(...)

Impact

Any deployment where the --mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-471

Affected Products

Praisonai