CVE-2026-34935
published 2026-04-03CVE-2026-34935: PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.82%
52.8th percentile
PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.6.9 | 4.6.9 |
| mervinpraison | praisonai | >= 0 < 4.5.149 | 4.5.149 |
| mervinpraison | praisonai | >= 4.5.15 < 4.5.69 | 4.5.69 |
| praison | praisonai | >= 4.5.15 < 4.5.69 | 4.5.69 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
ghsa·2026-04-17
CVE-2026-34935 [CRITICAL] CWE-78 Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
Incomplete fix for CVE-2026-34935: Command Injection in MervinPraison/PraisonAI
### Summary
The fix for PraisonAI's MCP command handling does not add a command allowlist or argument validation to `parse_mcp_command()`, allowing arbitrary executables like `bash`, `python`, or `/bin/sh` with inline code execution flags to pass through to subprocess execution.
### Affected Package
- **Ecosystem:** PyPI
- **Package:** MervinPraison/PraisonAI
- **Affected versions:** = 47bff65413be
### Details
The vulnerability exists in `src/praisonai/praisonai/cli/features/mcp.py` in the `MCPHandler.parse_mcp_command()` method. This function parses MCP server command strings into executable commands, arguments, and environment variables. The pre-patch version performs no validation on the executable or
GHSA
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
ghsa·2026-04-01
CVE-2026-34935 [CRITICAL] CWE-78 PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
### Summary
The `--mcp` CLI argument is passed directly to `shlex.split()` and forwarded through the call chain to `anyio.open_process()` with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.
### Details
`cli/features/mcp.py:61` (source) -> `praisonaiagents/mcp/mcp.py:345` (hop) -> `mcp/client/stdio/__init__.py:253` (sink)
```python
# source
parts = shlex.split(command)
# hop
cmd, args, env = self.parse_mcp_command(command, env_vars)
self.server_params = StdioServerParameters(command=cmd, args=arguments)
# sink
process = await anyio.open_process([command, *args])
```
Fixed in commit `47bff65413beaa3c21bf633c1fae4e684348368c` (v4.5.69) by introduc
OSV
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
osv·2026-04-01
CVE-2026-34935 [CRITICAL] PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()
### Summary
The `--mcp` CLI argument is passed directly to `shlex.split()` and forwarded through the call chain to `anyio.open_process()` with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.
### Details
`cli/features/mcp.py:61` (source) -> `praisonaiagents/mcp/mcp.py:345` (hop) -> `mcp/client/stdio/__init__.py:253` (sink)
```python
# source
parts = shlex.split(command)
# hop
cmd, args, env = self.parse_mcp_command(command, env_vars)
self.server_params = StdioServerParameters(command=cmd, args=arguments)
# sink
process = await anyio.open_process([command, *args])
```
Fixed in commit `47bff65413beaa3c21bf633c1fae4e684348368c` (v4.5.69) by introduc
No detection rules found.
No public exploits indexed.
2026-04-03
Published