TL;DR

CVE-2026-2256 (CVSS 6.5 MEDIUM; NIST assessment pending) — ModelScope's ms-agent framework v1.6.0rc1 and earlier contains a command injection flaw in its Shell tool. A regex-based denylist can be bypassed via shell parsing semantics, enabling an attacker who controls any prompt-derived input (documents, logs, agent instructions, research data) to execute arbitrary OS commands on the host. No vendor patch — the maintainer has not responded to CERT/CC coordination. A public PoC exploit exists. In an AI agent context the real-world blast radius exceeds the CVSS base score: the agent process typically holds LLM provider API keys, cloud credentials, and workspace secrets.

What happened

ModelScope's ms-agent is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model Calling Protocol (MCP). The framework's Shell tool enables the agent to run arbitrary OS commands on the host system.

Researcher Itamar Yochpaz disclosed on 2026-03-02 that the Shell tool's input-validation logic relies on a regex-based command denylist — a pattern long documented as insufficient. The check function attempts to filter dangerous commands, but shell parsing semantics allow the denylist to be bypassed:

  • Indirect execution paths — shell builtins, aliases, redirections, process substitutions, and string-splitting tricks cause the check to evaluate a different string than what the shell eventually executes.
  • Prompt-derived injection — the agent consumes arbitrary external content (documents, web pages, log files, research inputs, MCP tool results) in the same context as user instructions. Attacker-controlled text in any of these sources can inject a command payload that the check misses.
  • Six validation layers bypassed — despite implementing layered checks before execution, the function permits command execution via trusted interpreters (awk, python, perl, node) not on the denylist.

CERT/CC filed advisory VU#431821 after the maintainer failed to respond during coordinated disclosure. The vulnerability was assigned CVE-2026-2256 (CWE-77; AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N; the NIST CVSS of 6.5 MEDIUM reflects the base vulnerability without AI-agent-specific amplification factors).

Why the impact is higher in practice: An ms-agent process running as a developer on a workstation or in a CI environment typically holds: - LLM provider API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, AWS Bedrock IAM creds, etc.) - Cloud credentials (~/.aws/credentials, GOOGLE_APPLICATION_CREDENTIALS, etc.) - Shell history with secrets - SSH private keys - npm/PyPI publish tokens

A single exploited command injection exfiltrates all of the above — behavior closer to a cloud-account compromise than a typical CVSS 6.5 vulnerability. This is the same amplification pattern documented in LangSmith CVE-2026-25750, LiteLLM CVE-2026-42208, and other AI-framework CVEs.

Am I affected?

# Check if ms-agent is installed
pip show ms-agent 2>/dev/null | grep -E '^(Name|Version):'

# Check the version
python -c "import agent; print(agent.__version__)" 2>/dev/null

# Check for ms-agent in requirements files
grep -r "ms-agent\|modelscope.*agent" requirements*.txt pyproject.toml setup.py 2>/dev/null

You are affected if: - You have ms-agent ≤ v1.6.0rc1 installed, AND - The agent can process any externally-supplied content (documents, web pages fetched via tools, API/MCP results, logs, user input, or any text not written directly by you)

All versions through v1.6.0rc1 are vulnerable. There is no patched version.

IOCs

Type Value
CVE CVE-2026-2256
Affected versions ms-agent ≤ v1.6.0rc1 (all known versions)
Fixed version None — no patch available
CWE CWE-77 (Command Injection)
CVSS 3.1 6.5 MEDIUM (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N; NIST assessment pending)
CERT/CC VU#431821
Published 2026-03-02
Public PoC Yes (listed in NVD advisory)
Patch None — vendor unresponsive to CERT/CC

If you are affected

  1. Do not feed ms-agent any untrusted content until a patch is available — documents, URLs to fetch, files from external repos, or any data source you do not fully control.
  2. Sandbox the agent process — run it inside a Docker container, VM, or firejail jail with network egress blocked to everything except required LLM API endpoints.
  3. Audit recent agent sessions for unexpected shell commands in agent output logs (look for curl, wget, base64, python -c, or eval calls you did not initiate).
  4. Rotate credentials accessible from the agent's environment if it processed any untrusted content before today.
  5. Monitor the ms-agent GitHub repository for a security patch; as of 2026-06-22 the vendor has not responded to CERT/CC coordination.

playbooks/rotating-cloud-credentials.mdprevention/agent-sandboxing.md

Prevention

  • Prefer allowlists over denylists for command validation in AI agent Shell tools. CWE-77 via regex blacklist is a class of bug, not a one-off: Flowise CVE-2025-59528 (eval(mcpServerConfig)), Microsoft Semantic Kernel decorator-as-documentation, and Langflow CVE-2026-33017 all stem from "the check function is documentation, not a security boundary."
  • Isolate agents that can execute shell commands. Any agent with a shell primitive is a potential RCE waiting for the right crafted input. Run it in a minimal container with read-only filesystem mounts and only the specific network endpoints it needs.
  • Treat LLM provider keys as secrets, not config. If the agent process holds an ANTHROPIC_API_KEY, mount it from a secrets manager at runtime rather than baking it into environment variables — so credential rotation doesn't require rebuilding containers.

prevention/agent-sandboxing.mdprevention/credential-hygiene.md

Sources