Skip to content

CVE-2026-41497 - PraisonAI MCP command injection incomplete fix

PraisonAI versions 4.5.148 and earlier contain an incomplete fix for earlier MCP command handling. The vulnerable path parses MCP server command strings and passes the resulting executable and arguments toward subprocess execution without enough validation.

The follow-up advisory highlights missing controls that matter for production MCP server launchers: no strict executable allow-list, no basename validation to prevent path-based executable injection, and no argument inspection to reject shell metacharacters or interpreter inline-execution flags. In practice, MCP configuration becomes a code execution surface.

Affected versions

  • Vulnerable: praisonai <=4.5.148
  • Fixed: praisonai 4.5.149+
  • Affected path: MCPHandler.parse_mcp_command() in PraisonAI MCP command handling.
  • Related context: Incomplete fix for CVE-2026-34935.

Indicator-of-exposure

  • The repository depends on or deploys PraisonAI <=4.5.148.
  • MCP servers can be configured through user input, project files, workflow YAML, agent instructions, environment variables, database records, or remote control-plane config.
  • PraisonAI launches MCP servers from command strings instead of a vetted server registry.
  • Allowed MCP server commands include shells, interpreters with inline code flags, arbitrary paths, package-manager scripts, or pipe/download execution.
  • The PraisonAI process has access to model provider credentials, cloud credentials, source repositories, customer data, or internal network routes.

Quick checks:

rg -n "praisonai|parse_mcp_command|MCPHandler|mcp.*command|mcp.*server|stdio|uvx|npx|python -c|bash -c|/bin/sh|subprocess" .
python -m pip show praisonai
pip freeze | rg '^praisonai=='
rg -n "mcpServers|mcp_servers|command\\s*:|args\\s*:|stdio" .mcp* config* settings* Dockerfile* docker-compose*.yml charts deploy

Remediation strategy

  • Upgrade PraisonAI to 4.5.149+ everywhere this repository controls package manifests, lockfiles, constraints, images, or deployment manifests.
  • Replace free-form MCP command strings with a governed MCP server registry: approved server ID, fixed executable, fixed transport, typed arguments, and explicit environment-variable bindings.
  • Reject path-qualified executables unless they resolve to an approved absolute path owned by the deployment.
  • Block shells and interpreter inline-execution patterns such as sh -c, bash -c, python -c, node -e, pipes, redirects, command substitution, backticks, and downloader-to-shell chains.
  • Launch MCP servers with least-privilege identities, redacted environment values, egress restrictions, and audit logging of server IDs rather than raw secret-bearing command lines.

The prompt 

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-41497 (PraisonAI incomplete fix for MCP command
injection). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades PraisonAI, removes unsafe
  MCP command-string launch paths, adds regression coverage, and documents
  operator cleanup, or
- TRIAGE.md if this repository does not own an affected PraisonAI runtime or
  cannot make a safe change.

## Rules

- Scope only CVE-2026-41497 / GHSA-9qhq-v63v-fv3j and the related
  CVE-2026-34935 MCP command-handling fix path.
- Treat MCP server environment variables, API keys, model provider tokens,
  cloud credentials, source code, subprocess output, and agent logs as
  sensitive.
- Do not execute exploit commands, shell payloads, downloader pipelines,
  reverse shells, or arbitrary MCP server commands.
- Do not keep caller-controlled command strings as the long-term MCP launch
  interface.
- Do not auto-merge.

## Steps

1. Inventory every PraisonAI reference controlled by this repository:
   requirements files, pyproject files, lockfiles, constraints, Dockerfiles,
   CI images, deployment manifests, MCP config, agent templates, runbooks, and
   SBOMs.
2. Determine every resolved `praisonai` version. A target is vulnerable if it
   resolves to `<=4.5.148`.
3. Search all MCP server launch configuration for free-form `command` strings,
   `args`, stdio transports, shell snippets, environment interpolation, and
   project/user-controlled MCP definitions.
4. If this repository does not deploy PraisonAI or only contains unrelated
   client code, stop with `TRIAGE.md` listing files checked and the runtime
   owner.
5. Upgrade PraisonAI to `4.5.149+`. Regenerate lockfiles, constraints, image
   metadata, SBOMs, and dependency reports.
6. Replace unsafe MCP command-string handling where this repo controls config or
   wrappers:
   - define approved MCP server IDs;
   - map each ID to a fixed executable and transport;
   - allow only typed, validated arguments;
   - bind environment variables by approved names only;
   - reject unknown executables, path traversal, path-qualified binaries, and
     shell or interpreter inline execution.
7. Add a shared MCP launch validator if the repository owns PraisonAI wrappers
   or generated config. The validator must run after parsing and normalization,
   not only on the raw string.
8. Add regression tests that do not execute commands:
   - `bash -c`, `/bin/sh -c`, `python -c`, `node -e`, backticks, `$()`, pipes,
     redirects, semicolons, `curl | sh`, and path-qualified executables are
     rejected;
   - approved MCP server IDs map to expected executable/argument arrays;
   - secrets are redacted from validation errors and audit logs;
   - legacy command-string config fails closed unless explicitly migrated.
9. Add deployment containment:
   - run PraisonAI with least-privilege service accounts;
   - isolate MCP server working directories;
   - restrict egress for agent and MCP processes;
   - disable untrusted project-level MCP config until migrated.
10. Add a PR body section named `CVE-2026-41497 operator actions` that states:
    - PraisonAI versions before and after the change;
    - every MCP server launch source reviewed;
    - whether untrusted users or projects could define MCP commands;
    - which MCP, model provider, cloud, or repository credentials should be
      rotated;
    - which logs should be reviewed for shell/interpreter launch attempts.
11. Run relevant validation: dependency install, lockfile checks, MCP config
    validation, unit tests, lint/typecheck, container build, SBOM refresh, and
    dependency/security scans available in this repository.
12. Use PR title:
    `fix(sec): remediate CVE-2026-41497 in PraisonAI MCP command handling`.

## Stop conditions

- No affected PraisonAI runtime or MCP launch path is controlled by this
  repository.
- A fixed PraisonAI version cannot be consumed without a broader platform
  migration.
- Product requirements intentionally allow arbitrary user-provided MCP command
  strings; document the risk and require a product/security decision.
- Verification would require executing attacker-controlled commands.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Verification - what the reviewer looks for

  • No controlled lockfile, image, SBOM, or deployment target resolves PraisonAI to <=4.5.148.
  • MCP server launch configuration is registry-backed or otherwise allow-listed, not arbitrary command-string execution.
  • Tests reject shells, interpreter inline-code flags, path-qualified binaries, shell metacharacters, and downloader pipelines without executing them.
  • Logs and errors do not expose MCP environment values or tokens.
  • Operator actions identify credential rotation and log review if untrusted MCP config was possible.

Watch for

  • Updating praisonai while generated MCP config, examples, or project templates still teach free-form command strings.
  • Allowing python or node generally but forgetting to block -c, -m, -e, preload hooks, package scripts, or equivalent execution features.
  • Validating the raw command string before shell-like parsing and normalization.
  • Logging full command lines with embedded secrets.

References