{"data":{"id":"2d6f5da9-6bc6-410c-a73d-f51664f4e1d2","title":"GHSA-r4f2-3m54-pp7q: PraisonAI Has Sandbox Escape via shell=True and Bypassable Blocklist in SubprocessSandbox","summary":"PraisonAI's SubprocessSandbox has a critical security flaw where it uses `shell=True` (a setting that makes subprocess execute commands through a shell) and only blocks certain command names, but doesn't block `sh` or `bash` executables, allowing attackers to escape the sandbox by running commands like `sh -c '<command>'` even in STRICT mode. This means security protections meant to isolate untrusted AI code can be bypassed, giving attackers access to the network, files, and system information.","solution":"Replace the `subprocess.run()` call with `shlex.split(command)` (a function that safely parses command strings) and set `shell=False` to disable shell interpretation. Specifically, change from `subprocess.run(command, shell=True, ...)` to `subprocess.run(shlex.split(command), shell=False, cwd=cwd, env=env, capture_output=capture_output, text=True, timeout=timeout)`.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-r4f2-3m54-pp7q","publishedAt":"2026-04-01T23:26:01.000Z","cveId":"CVE-2026-34955","cweIds":null,"cvssScore":null,"cvssSeverity":"high","severity":"high","attackType":[],"issueType":"vulnerability","affectedPackages":["praisonai@<= 4.5.96 (fixed: 4.5.97)"],"affectedVendors":["LangChain"],"affectedVendorsRaw":["PraisonAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-04-01T23:26:01.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"agent","llmSpecific":true,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":null}}