{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34938", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-31T17:27:08.660Z", "datePublished": "2026-04-03T22:51:28.199Z", "dateUpdated": "2026-04-06T13:23:42.009Z"}, "containers": {"cna": {"title": "PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code", "problemTypes": [{"descriptions": [{"cweId": "CWE-693", "lang": "en", "description": "CWE-693: Protection Mechanism Failure", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 1.5.90", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:51:28.199Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90."}], "source": {"advisory": "GHSA-6vh2-h83c-9294", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-06T13:23:32.754263Z", "id": "CVE-2026-34938", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:23:42.009Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34938", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-06T13:23:32.754263Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-06T13:23:37.844Z"}}], "cna": {"title": "PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code", "source": {"advisory": "GHSA-6vh2-h83c-9294", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 10, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 1.5.90"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-693", "description": "CWE-693: Protection Mechanism Failure"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-03T22:51:28.199Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34938", "state": "PUBLISHED", "dateUpdated": "2026-04-06T13:23:42.009Z", "dateReserved": "2026-03-31T17:27:08.660Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-03T22:51:28.199Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "matchCriteriaId": "0CECD474-C348-4AD9-B570-42895741C580", "versionEndExcluding": "1.5.90", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a str subclass with an overridden startswith() method to the _safe_getattr wrapper, achieving arbitrary OS command execution on the host. This issue has been patched in version 1.5.90."}], "id": "CVE-2026-34938", "lastModified": "2026-04-14T18:07:19.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 10.0, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-03T23:17:06.170", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-693"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.90)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-14T22:08:55.547758+00:00", "value": {"mitigation_remediation": ["Apply the 1.5.90 or newer patch to PraisonAI agents", "Verify sandbox functionality after the upgrade", "If a patch cannot be applied immediately, block or disable external access to the execute_code interface until the fix is deployed"], "summary": {"action": "Immediate patch", "impact": "Arbitrary OS command execution"}, "threat_synthesis": {"affected_systems": "Systems affected are installations of PraisonAI\u2019s praionai\u2011agents package with versions earlier than 1.5.90. The vendor is MervinPraison, and the product hosting the vulnerable code is the PraisonAI agents service. Versions 1.5.90 and newer contain the fix and are not affected.", "description_and_impact": "The vulnerability exists in the PraisonAI agents component. Before version 1.5.90, the execute_code() method runs supplied Python code inside a sandbox that is meant to restrict system access. Attackers can create a subclass of the built\u2011in str type that overrides the startswith() method. When this object is used by the sandbox\u2019s _safe_getattr wrapper, the override bypasses the sandbox layers and allows execution of arbitrary OS commands on the host machine. The weakness is categorized as CWE\u2011693 because input validation fails, leading to loss of integrity and potential confidentiality compromise.", "risk_and_exploitability": "The CVSS base score is 10, indicating critical severity. EPSS indicates an exploitation likelihood lower than 1\u202f%. Although the vulnerability is not listed in the CISA KEV catalog, its ability to escape a sandbox and run arbitrary commands makes it a high\u2011impact target. The likely attack vector is via the execute_code API, which can be invoked remotely by an attacker who can provide arbitrary code payloads. The exploit requires no additional privileges; if the agent runs with host system permissions, the injected code can gain the same level of access."}}}}, "created": "2026-04-06T21:21:53.161245+00:00", "updated": "2026-04-15T16:30:09.762783+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}