CVE-2026-34935

Summary

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the –mcp CLI argument is passed directly to shlex.split() and forwarded through the call chain to anyio.open_process() with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command execution as the process user. This issue has been patched in version 4.5.69.

Affected Software

VendorProductVersion RangeStatus
MervinPraisonPraisonAI>= 4.5.15, < 4.5.69affected

Weaknesses

  • CWE-78: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: total

References