PraisonAI is a multi-agent teams system. Prior to version 4.5.97, SubprocessSandbox in all modes (BASIC, STRICT, NETWORK_ISOLATED) calls subprocess.run() with shell=True and relies solely on string-pattern matching to block dangerous commands. The blocklist does not include sh or bash as standalone executables, allowing trivial sandbox escape in STRICT mode via sh -c '<command>'. This issue has been patched in version 4.5.97.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34955.json",
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-78"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_RANGE"
],
"cpe": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "4.5.97"
}
]
}