PraisonAI Critical RCE (CVE-2026-34938)

Patch now - CVE-2026-34938 is a critical sandbox escape in PraisonAI multi-agent teams system before 1.5.90 that grants remote attackers full OS command execution on the host with no privileges or user interaction required.

Overview

A critical security vulnerability, CVE-2026-34938, has been identified in the PraisonAI multi-agent teams system. The flaw resides in the execute_code() function within praisonai-agents. This function is designed to run Python code within a three-layer sandbox for safety, but a specific bypass allows an attacker to escape these restrictions completely.

Vulnerability Details

The vulnerability is a sandbox escape. The system’s _safe_getattr wrapper, intended to safely inspect objects, can be tricked by passing it a custom string subclass. By overriding the startswith() method in this subclass, an attacker can manipulate the sandbox’s internal logic. This manipulation leads to a full bypass of all three sandbox layers, granting the attacker the ability to execute arbitrary operating system commands on the underlying host where PraisonAI is running.

The severity is maximized by the attack prerequisites: an attacker can exploit this remotely over a network without any privileges and without requiring any interaction from a user.

Impact

Successful exploitation of this vulnerability gives an attacker complete control over the host system running the vulnerable PraisonAI instance. They can install malware, exfiltrate sensitive data, manipulate AI agents and their workflows, or use the compromised system as a foothold for further attacks within the network. Given PraisonAI’s role in orchestrating AI agents, compromised systems could lead to significant data integrity and confidentiality breaches.

Remediation and Mitigation

The primary and immediate action is to upgrade PraisonAI to version 1.5.90 or later, which contains the patch for this issue.

Actionable Steps:

1. Patch: Identify all deployments of PraisonAI and update them to version 1.5.90 immediately.
2. Contain: If immediate patching is not possible, restrict network access to the PraisonAI interface to only trusted, necessary sources. Ensure the PraisonAI process runs with the minimum necessary system privileges.
3. Monitor: Review logs for any unusual process execution or network connections originating from hosts running PraisonAI, particularly from the period before the patch was applied.

Organizations leveraging AI agent systems should be aware of the AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis, as these platforms often handle sensitive credentials and data. The emergence of tools like CyberStrikeAI tool adopted by hackers for AI-powered attacks underscores the need for robust security in AI infrastructure.

Security Insight

This vulnerability highlights the inherent risk of “rolling your own” security primitives, especially complex constructs like sandboxes. The multi-layer design likely created a false sense of security, while the actual flaw was in a seemingly simple string-handling wrapper. It echoes historical sandbox escapes where complexity introduced unexpected interaction flaws, suggesting a need for more formal verification of such critical security boundaries or the use of battle-tested, isolated execution environments. This incident serves as a cautionary tale for the burgeoning AI agent ecosystem, where novel functionality can outpace secure implementation.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs