CVE-2026-54051
published 2026-06-19CVE-2026-54051: Network-AI: Improper Neutralization of Special Elements used in an OS Command ## Summary The agent sandbox gates shell commands behind an allowlist…
critical
Network-AI: Improper Neutralization of Special Elements used in an OS Command ## Summary The agent sandbox gates shell commands behind an allowlist (`SandboxPolicy.isCommandAllowed`), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but `ShellExecutor` runs that string through `/bin/sh -c`. So any wildcard allow such as `git *`, `npm *` or `node *` also matches `git status; `, and a scoped command becomes arbitrary execution. ## Root cause Matching and execution disagree on what a command is. Lines pinned to `40e42d7` (`lib/agent-runtime.ts` is identical to the v5.8.5 tag). 1. `isCommandAllowed` matches the full string, with no tokenizing and no metacharacter check: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260 2. `globMatch` compiles `*` to `.*` and anchors it, so `git *` becomes `^git .*$` and matches `git status; id`: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360 3. `ShellExecutor.execute` only checks `isCommandAllowed`, never `requiresApproval`: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391 4. `spawnCommand` runs the approved string via `/bin/sh -c`, so `;`, `|` and `$(...)` are interpreted by the shell: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431 ## Reachability Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain `git *` is enough. No fresh-install precondition and no extra misconfiguration. ## PoC Installs `[email protected]`, allows `git *`, then runs `git status; id > marker`. The allowlist accepts it and the injected `id` runs. Run: `npm i [email protected] && node poc-316.js` ```js 'use strict'; const
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jovancoding | network-ai | >= 0 < 5.9.1 | 5.9.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-19
Published