PraisonAI CLI Argument RCE (CVE-2026-34935)

Patch now - CVE-2026-34935 is a critical command-injection flaw in PraisonAI versions 4.5.15 through 4.5.68 that grants unauthenticated remote attackers full OS command execution with no user interaction required. Upgrade to version 4.5.69 or later to block exploitation.

Overview

A critical command injection vulnerability, CVE-2026-34935, has been identified in the PraisonAI multi-agent teams system. The flaw allows remote, unauthenticated attackers to execute arbitrary operating system commands on the host running the vulnerable software.

Vulnerability Details

The vulnerability resides in how PraisonAI handles the --mcp command-line interface (CLI) argument. In affected versions (4.5.15 through 4.5.68), this user-supplied input is passed directly to the shlex.split() function and then forwarded to anyio.open_process() without any validation, sanitization, or allowlist checks. This lack of input filtering creates a direct path for an attacker to inject and execute malicious commands with the privileges of the PraisonAI process.

Impact

With a maximum CVSS score of 9.8, this vulnerability is highly severe. Attackers exploiting this flaw can achieve full command execution on the target system. This could lead to complete system compromise, data theft, deployment of ransomware, or the use of the server as a foothold for lateral movement within a network. The network attack vector with no required privileges or user interaction makes this flaw particularly dangerous for exposed instances.

Affected Versions

PraisonAI versions starting from 4.5.15 up to, but not including, version 4.5.69 are vulnerable.

Remediation and Mitigation

The primary and immediate action is to upgrade PraisonAI to version 4.5.69 or later, which contains the necessary validation to patch this vulnerability.

Immediate Actions:

1. Upgrade: Update all instances of PraisonAI to version 4.5.69 or the latest available version.
2. Inventory: Identify all systems running PraisonAI, especially those accessible from untrusted networks.
3. Restrict Access: As a temporary measure if patching is delayed, ensure PraisonAI services are not exposed to the public internet and are behind strict network access controls.

Until the patch is applied, treat any system running a vulnerable version as potentially compromised and monitor it for anomalous activity.

Security Insight

This vulnerability highlights a persistent class of flaw in AI/ML tooling where powerful system-level capabilities are exposed without robust input validation, echoing past incidents in other DevOps and automation platforms. The direct passthrough of CLI arguments to process execution is a foundational security failure, suggesting that rapid feature development in emerging AI orchestration tools may be outpacing secure coding practices. As seen with the adoption of tools like CyberStrikeAI by threat actors, the integration of AI systems into critical workflows makes them high-value targets, amplifying the impact of such basic vulnerabilities.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs