LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-34938

CVE-2026-34938 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: April 3, 2026

PraisonAI praisonai-agents - Command Injection

Published: April 3, 2026Updated: April 3, 2026Remote Exploitable

Overview

PraisonAI praisonai-agents < 1.5.90 contains a command injection caused by sandbox bypass via a str subclass with overridden startswith() in _safe_getattr, letting attackers execute arbitrary OS commands, exploit requires crafted str subclass.

Severity & Score

Severity: Critical
CVSS Score: 10.0
EPSS Score: 10.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary OS commands on the host, leading to full system compromise.

Mitigation

Update to version 1.5.90 or later.

References

Social Media Activity(1 post)

OffSequence
OffSequence
@offseq
Apr 4, 2026

🚨 CRITICAL: CVE-2026-34938 in PraisonAI <1.5.90 lets attackers bypass sandbox protections and achieve arbitrary OS command execution. Immediate upgrade to v1.5.90+ required. Full system compromise possible. https://radar.offseq.com/threat/cve-2026-34938-cwe-693-protection-mechanism-failur-01ac669c #OffSeq #CVE202634938 #infosec #PraisonAI

View original post

Related Resources

Details

CVE ID
CVE-2026-34938
Severity
Critical
CVSS Score
10.0
Type
command_injection
Status
new
EPSS
10.0%
Social Posts
1

CWE

  • CWE-693

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

EPSS Score

10.0%Probability of exploitation in the next 30 days