ModelScope ms-agent OS command injection via Shell tool (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory
TL;DR
CVE-2026-2256 (CVSS 6.5 MEDIUM; NIST assessment pending) — ModelScope's ms-agent framework v1.6.0rc1 and earlier contains a command injection flaw in its Shell tool. A regex-based denylist can be bypassed via shell parsing semantics, enabling an attacker who controls any prompt-derived input (documents, logs, agent instructions, research data) to execute arbitrary OS commands on the host. No vendor patch — the maintainer has not responded to CERT/CC coordination. A public PoC exploit exists. In an AI agent context the real-world blast radius exceeds the CVSS base score: the agent process typically holds LLM provider API keys, cloud credentials, and workspace secrets.
What happened
ModelScope's ms-agent is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model Calling Protocol (MCP). The framework's Shell tool enables the agent to run arbitrary OS commands on the host system.
Researcher Itamar Yochpaz disclosed on 2026-03-02 that the Shell tool's input-validation logic relies on a regex-based command denylist — a pattern long documented as insufficient. The check function attempts to filter dangerous commands, but shell parsing semantics allow the denylist to be bypassed:
- Indirect execution paths — shell builtins, aliases, redirections, process substitutions, and string-splitting tricks cause the check to evaluate a different string than what the shell eventually executes.
- Prompt-derived injection — the agent consumes arbitrary external content (documents, web pages, log files, research inputs, MCP tool results) in the same context as user instructions. Attacker-controlled text in any of these sources can inject a command payload that the check misses.
- Six validation layers bypassed — despite implementing layered checks before execution, the function permits command execution via trusted interpreters (awk, python, perl, node) not on the denylist.
CERT/CC filed advisory VU#431821 after the maintainer failed to respond during coordinated disclosure. The vulnerability was assigned CVE-2026-2256 (CWE-77; AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N; the NIST CVSS of 6.5 MEDIUM reflects the base vulnerability without AI-agent-specific amplification factors).
Why the impact is higher in practice: An ms-agent process running as a developer on a workstation or in a CI environment typically holds:
- LLM provider API keys (ANTHROPIC_API_KEY, OPENAI_API_KEY, AWS Bedrock IAM creds, etc.)
- Cloud credentials (~/.aws/credentials, GOOGLE_APPLICATION_CREDENTIALS, etc.)
- Shell history with secrets
- SSH private keys
- npm/PyPI publish tokens
A single exploited command injection exfiltrates all of the above — behavior closer to a cloud-account compromise than a typical CVSS 6.5 vulnerability. This is the same amplification pattern documented in LangSmith CVE-2026-25750, LiteLLM CVE-2026-42208, and other AI-framework CVEs.
Am I affected?
# Check if ms-agent is installed
pip show ms-agent 2>/dev/null | grep -E '^(Name|Version):'
# Check the version
python -c "import agent; print(agent.__version__)" 2>/dev/null
# Check for ms-agent in requirements files
grep -r "ms-agent\|modelscope.*agent" requirements*.txt pyproject.toml setup.py 2>/dev/null
You are affected if:
- You have ms-agent ≤ v1.6.0rc1 installed, AND
- The agent can process any externally-supplied content (documents, web pages fetched via tools, API/MCP results, logs, user input, or any text not written directly by you)
All versions through v1.6.0rc1 are vulnerable. There is no patched version.
IOCs
| Type | Value |
|---|---|
| CVE | CVE-2026-2256 |
| Affected versions | ms-agent ≤ v1.6.0rc1 (all known versions) |
| Fixed version | None — no patch available |
| CWE | CWE-77 (Command Injection) |
| CVSS 3.1 | 6.5 MEDIUM (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N; NIST assessment pending) |
| CERT/CC | VU#431821 |
| Published | 2026-03-02 |
| Public PoC | Yes (listed in NVD advisory) |
| Patch | None — vendor unresponsive to CERT/CC |
If you are affected
- Do not feed ms-agent any untrusted content until a patch is available — documents, URLs to fetch, files from external repos, or any data source you do not fully control.
- Sandbox the agent process — run it inside a Docker container, VM, or
firejailjail with network egress blocked to everything except required LLM API endpoints. - Audit recent agent sessions for unexpected shell commands in agent output logs (look for curl, wget, base64, python -c, or eval calls you did not initiate).
- Rotate credentials accessible from the agent's environment if it processed any untrusted content before today.
- Monitor the ms-agent GitHub repository for a security patch; as of 2026-06-22 the vendor has not responded to CERT/CC coordination.
→ playbooks/rotating-cloud-credentials.md → prevention/agent-sandboxing.md
Prevention
- Prefer allowlists over denylists for command validation in AI agent Shell tools. CWE-77 via regex blacklist is a class of bug, not a one-off: Flowise CVE-2025-59528 (
eval(mcpServerConfig)), Microsoft Semantic Kernel decorator-as-documentation, and Langflow CVE-2026-33017 all stem from "the check function is documentation, not a security boundary." - Isolate agents that can execute shell commands. Any agent with a shell primitive is a potential RCE waiting for the right crafted input. Run it in a minimal container with read-only filesystem mounts and only the specific network endpoints it needs.
- Treat LLM provider keys as secrets, not config. If the agent process holds an
ANTHROPIC_API_KEY, mount it from a secrets manager at runtime rather than baking it into environment variables — so credential rotation doesn't require rebuilding containers.
→ prevention/agent-sandboxing.md → prevention/credential-hygiene.md
Sources
- SecurityWeek — Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise — primary disclosure coverage, technical details on bypass mechanism and impact.
- NVD — CVE-2026-2256 Detail — canonical CVE record; CVSS 6.5 MEDIUM (CISA-ADP; NIST assessment pending), CWE-77, affected versions, PoC reference.
- CERT/CC — VU#431821 — coordination advisory documenting vendor non-response and confirming unpatched status.