Primary

Context

PraisonAI OS Command Injection Vulnerability in MCP Command Parsing

Vulnerability

A critical OS command injection vulnerability has been identified in PraisonAI versions 4.5.15 prior to 4.5.69. The issue arises because the '--mcp' command-line argument is passed directly to 'shlex.split()' and then to 'anyio.open_process()'' without any validation or sanitization. This flaw allows arbitrary operating system commands to be executed as the process user.

Impact

Exploitation of this vulnerability allows for arbitrary OS command execution as the process user, potentially leading to unauthorized actions or access on the system.

Reproduction

To reproduce this vulnerability, use PraisonAI version 4.5.48 and run the command 'praisonai --mcp "bash -c 'id > /tmp/pwned'"'. After executing this command, the file '/tmp/pwned' will contain the output of the 'id' command, demonstrating successful exploitation.

Remediation

Users can upgrade to PraisonAI version 4.5.69 or later, where this vulnerability has been patched.

Added: Apr 3, 2026, 11:22 PM

Updated: Apr 3, 2026, 11:22 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.2

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

8.2

remediation

0.0

relevance

5.2

threat

6.4

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

PraisonAI OS Command Injection Vulnerability in MCP Command Parsing

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating