{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2256", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-02-09T15:23:17.916Z", "datePublished": "2026-03-02T20:09:11.808Z", "dateUpdated": "2026-03-03T20:07:24.775Z"}, "containers": {"cna": {"title": "Command injection vulnerability in ModelScope's ms-agent", "descriptions": [{"lang": "en", "value": "A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input."}], "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "ModelScope", "product": "ms-agent", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "v1.6.0rc1", "versionType": "custom"}]}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "references": [{"url": "https://github.com/modelscope/ms-agent"}, {"url": "https://www.hiddenlayer.com/research/indirect-prompt-injection-of-claude-computer-use"}, {"url": "https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326"}, {"url": "https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC"}], "x_generator": {"engine": "VINCE 3.0.32", "env": "prod", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2256"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-02T20:09:11.808Z"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/431821"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-02T21:10:07.108Z"}}, {"problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-77", "lang": "en", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T20:06:53.906869Z", "id": "CVE-2026-2256", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:07:24.775Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.kb.cert.org/vuls/id/431821"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-03-02T21:10:07.108Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-2256", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T20:06:53.906869Z"}}}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T20:07:21.159Z"}}], "cna": {"title": "Command injection vulnerability in ModelScope's ms-agent", "source": {"discovery": "UNKNOWN"}, "affected": [{"vendor": "ModelScope", "product": "ms-agent", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "v1.6.0rc1"}]}], "references": [{"url": "https://github.com/modelscope/ms-agent"}, {"url": "https://www.hiddenlayer.com/research/indirect-prompt-injection-of-claude-computer-use"}, {"url": "https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326"}, {"url": "https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC"}], "x_generator": {"env": "prod", "engine": "VINCE 3.0.32", "origin": "https://cveawg.mitre.org/api/cve/CVE-2026-2256"}, "descriptions": [{"lang": "en", "value": "A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-94 Improper Control of Generation of Code ('Code Injection')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-03-02T20:09:11.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2256", "state": "PUBLISHED", "dateUpdated": "2026-03-03T20:07:24.775Z", "dateReserved": "2026-02-09T15:23:17.916Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-03-02T20:09:11.808Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input."}], "id": "CVE-2026-2256", "lastModified": "2026-03-03T21:52:29.877", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-02T21:16:27.797", "references": [{"source": "cret@cert.org", "url": "https://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC"}, {"source": "cret@cert.org", "url": "https://github.com/modelscope/ms-agent"}, {"source": "cret@cert.org", "url": "https://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326"}, {"source": "cret@cert.org", "url": "https://www.hiddenlayer.com/research/indirect-prompt-injection-of-claude-computer-use"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.kb.cert.org/vuls/id/431821"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}

{"bugzilla": {"description": "ModelScope: ModelScope, Red Hat AI Inference Server, Red Hat OpenShift AI: Arbitrary code execution via crafted prompt input", "id": "2444016", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2444016"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "details": ["A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input."], "name": "CVE-2026-2256", "package_state": [{"cpe": "cpe:/a:redhat:ai_inference_server:3", "fix_state": "Fix deferred", "package_name": "rhaiis-preview/vllm-cuda-rhel9", "product_name": "Red Hat AI Inference Server"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-agent-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-controller-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-router-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}, {"cpe": "cpe:/a:redhat:openshift_ai", "fix_state": "Fix deferred", "package_name": "rhoai/odh-kserve-storage-initializer-rhel9", "product_name": "Red Hat OpenShift AI (RHOAI)"}], "public_date": "2026-03-02T20:09:11Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-2256\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-2256\nhttps://github.com/Itamar-Yochpaz/CVE-2026-2256-PoC\nhttps://github.com/modelscope/ms-agent\nhttps://medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326\nhttps://www.hiddenlayer.com/research/indirect-prompt-injection-of-claude-computer-use"], "statement": "This MODERATE impact command injection vulnerability affects Red Hat AI Inference Server and Red Hat OpenShift AI (RHOAI) through the ModelScope ms-agent component. An attacker can execute arbitrary operating system commands by providing specially crafted input derived from prompts.", "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,v1.6.0rc1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "ms-agent", "vendor": "modelscope"}], "analysis": {"en": {"generated_at": "2026-04-21T23:39:55.550544+00:00", "value": {"mitigation_remediation": ["Upgrade the ms\u2011agent to a version that includes the command injection fix. ", "If an upgrade cannot be performed immediately, disable or tightly restrict the prompt\u2011execution feature in the agent\u2019s configuration and implement strict validation to reject shell\u2011command patterns. ", "Apply network segmentation or firewall rules to limit inbound connections to the agent\u2019s interface, reducing the surface for remote exploitation. ", "Enable comprehensive logging and monitoring of ms\u2011agent input streams to detect and respond to attempted injection attacks."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "ModelScope ms\u2011agent, specifically all releases up to and including v1.6.0rc1.", "description_and_impact": "A command injection flaw in ModelScope's ms\u2011agent allows an attacker to embed arbitrary operating system commands into prompt\u2011derived input, enabling the execution of malicious code on the host. The weakness is classified as CWE\u201177, exposing the system to serious confidentiality, integrity, and availability risks.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of <1% reflects a low but measurable likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote attacker sending crafted prompt content to the agent\u2019s exposed network interface; this inference is based on the way the ms\u2011agent processes prompt input."}}}}, "created": "2026-03-03T08:40:59.405130+00:00", "updated": "2026-04-21T23:45:02.971111+00:00", "vendors": ["modelscope", "modelscope$PRODUCT$ms-agent"]}