CVE-2026-34955
published 2026-04-04CVE-2026-34955: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with…
PriorityP260critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
EPSS
0.38%
30.1th percentile
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c ''. This issue has been patched in version 4.5.97.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.97 | 4.5.97 |
| mervinpraison | praisonai | >= 0 < 4.5.97 | 4.5.97 |
| mervinpraison | praisonai | >= 4.5.110 < 4.6.61 | 4.6.61 |
| praison | praisonai | < 4.5.97 | 4.5.97 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
ghsa·2026-06-18
CVE-2026-34955 [HIGH] CWE-266 PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
PraisonAI SandlockSandbox falls back to unrestricted subprocess execution when Landlock is unavailable
## Summary
`praisonai.sandbox.SandlockSandbox` is documented and implemented as the kernel-enforced sandbox backend for untrusted code. Its `SandboxConfig.native()` path lets callers configure allowed filesystem paths and `network=False`.
On systems where the optional `sandlock` module imports but reports that Landlock is unavailable, `SandlockSandbox.execute()` and `run_command()` do not fail closed. They silently fall back to `SubprocessSandbox(self.config)`.
That fallback keeps the same high-level native policy object but does not enforce the native filesystem or network boundary during code execution. A sandboxed payload can read files outside the configured allowed path and open
GHSA
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
ghsa·2026-04-01
CVE-2026-34955 [HIGH] CWE-78 PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
### Summary
`SubprocessSandbox` in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls `subprocess.run()` with `shell=True` and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include `sh` or `bash` as standalone executables, allowing trivial sandbox escape in STRICT mode via `sh -c ''`.
### Details
`sandbox_executor.py:179` (source) -> `sandbox_executor.py:326` (sink)
```python
# source -- string-pattern blocklist, sh and bash not in blocked_commands
cmd_name = Path(parts[0]).name
if cmd_name in self.policy.blocked_commands: # sh, bash not blocked
raise SecurityError(...)
dangerous_patterns = [
("| sh", ...), # requires space -- "id|bash" evades this
("|
OSV
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
osv·2026-04-01
CVE-2026-34955 [HIGH] PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox
### Summary
`SubprocessSandbox` in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls `subprocess.run()` with `shell=True` and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include `sh` or `bash` as standalone executables, allowing trivial sandbox escape in STRICT mode via `sh -c ''`.
### Details
`sandbox_executor.py:179` (source) -> `sandbox_executor.py:326` (sink)
```python
# source -- string-pattern blocklist, sh and bash not in blocked_commands
cmd_name = Path(parts[0]).name
if cmd_name in self.policy.blocked_commands: # sh, bash not blocked
raise SecurityError(...)
dangerous_patterns = [
("| sh", ...), # requires space -- "id|bash" evades this
("|
No detection rules found.
No public exploits indexed.
2026-04-04
Published