---
id: 2026-03-msagent-cve-2026-2256-shell-injection
title: "ModelScope ms-agent OS command injection via Shell tool (CVE-2026-2256) — unpatched, public PoC, CERT/CC advisory"
date_disclosed: 2026-03-02
last_updated: 2026-06-22
severity: medium
status: active
ecosystems: [pypi, ai-agents]
tools_affected: [ms-agent, modelscope]
tags: [cve, command-injection, ai-agent-framework, unpatched, shell-tool, regex-blacklist, prompt-injection-rce]
---

## TL;DR
**CVE-2026-2256** (CVSS 6.5 MEDIUM; NIST assessment pending) — ModelScope's **ms-agent** framework v1.6.0rc1 and earlier contains a command injection flaw in its Shell tool. A regex-based denylist can be bypassed via shell parsing semantics, enabling an attacker who controls any prompt-derived input (documents, logs, agent instructions, research data) to execute arbitrary OS commands on the host. **No vendor patch** — the maintainer has not responded to CERT/CC coordination. A public PoC exploit exists. In an AI agent context the real-world blast radius exceeds the CVSS base score: the agent process typically holds LLM provider API keys, cloud credentials, and workspace secrets.

## What happened

ModelScope's **ms-agent** is a Python-based open-source framework for building AI agents capable of executing OS commands, running code, analyzing data, and interacting with tools via the Model Calling Protocol (MCP). The framework's `Shell` tool enables the agent to run arbitrary OS commands on the host system.

Researcher Itamar Yochpaz disclosed on **2026-03-02** that the Shell tool's input-validation logic relies on a **regex-based command denylist** — a pattern long documented as insufficient. The check function attempts to filter dangerous commands, but shell parsing semantics allow the denylist to be bypassed:

- **Indirect execution paths** — shell builtins, aliases, redirections, process substitutions, and string-splitting tricks cause the check to evaluate a different string than what the shell eventually executes.
- **Prompt-derived injection** — the agent consumes arbitrary external content (documents, web pages, log files, research inputs, MCP tool results) in the same context as user instructions. Attacker-controlled text in any of these sources can inject a command payload that the check misses.
- **Six validation layers bypassed** — despite implementing layered checks before execution, the function permits command execution via trusted interpreters (awk, python, perl, node) not on the denylist.

CERT/CC filed advisory **VU#431821** after the maintainer failed to respond during coordinated disclosure. The vulnerability was assigned **CVE-2026-2256** (CWE-77; `AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`; the NIST CVSS of 6.5 MEDIUM reflects the base vulnerability without AI-agent-specific amplification factors).

**Why the impact is higher in practice:** An ms-agent process running as a developer on a workstation or in a CI environment typically holds:
- LLM provider API keys (`ANTHROPIC_API_KEY`, `OPENAI_API_KEY`, AWS Bedrock IAM creds, etc.)
- Cloud credentials (`~/.aws/credentials`, `GOOGLE_APPLICATION_CREDENTIALS`, etc.)
- Shell history with secrets
- SSH private keys
- npm/PyPI publish tokens

A single exploited command injection exfiltrates all of the above — behavior closer to a cloud-account compromise than a typical CVSS 6.5 vulnerability. This is the same amplification pattern documented in [LangSmith CVE-2026-25750](2026-01-langsmith-account-takeover.md), [LiteLLM CVE-2026-42208](2026-04-litellm-sql-injection.md), and other AI-framework CVEs.

## Am I affected?

```bash
# Check if ms-agent is installed
pip show ms-agent 2>/dev/null | grep -E '^(Name|Version):'

# Check the version
python -c "import agent; print(agent.__version__)" 2>/dev/null

# Check for ms-agent in requirements files
grep -r "ms-agent\|modelscope.*agent" requirements*.txt pyproject.toml setup.py 2>/dev/null
```

You are affected if:
- You have `ms-agent` ≤ v1.6.0rc1 installed, AND
- The agent can process **any externally-supplied content** (documents, web pages fetched via tools, API/MCP results, logs, user input, or any text not written directly by you)

**All versions through v1.6.0rc1 are vulnerable.** There is no patched version.

### IOCs

| Type | Value |
|---|---|
| CVE | `CVE-2026-2256` |
| Affected versions | ms-agent `≤ v1.6.0rc1` (all known versions) |
| Fixed version | None — **no patch available** |
| CWE | CWE-77 (Command Injection) |
| CVSS 3.1 | 6.5 MEDIUM (`AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N`; NIST assessment pending) |
| CERT/CC | VU#431821 |
| Published | 2026-03-02 |
| Public PoC | Yes (listed in NVD advisory) |
| Patch | None — vendor unresponsive to CERT/CC |

## If you are affected

1. **Do not feed ms-agent any untrusted content** until a patch is available — documents, URLs to fetch, files from external repos, or any data source you do not fully control.
2. **Sandbox the agent process** — run it inside a Docker container, VM, or `firejail` jail with network egress blocked to everything except required LLM API endpoints.
3. **Audit recent agent sessions** for unexpected shell commands in agent output logs (look for curl, wget, base64, python -c, or eval calls you did not initiate).
4. **Rotate credentials** accessible from the agent's environment if it processed any untrusted content before today.
5. **Monitor** the [ms-agent GitHub repository](https://github.com/modelscope/ms-agent) for a security patch; as of 2026-06-22 the vendor has not responded to CERT/CC coordination.

→ [playbooks/rotating-cloud-credentials.md](../playbooks/rotating-cloud-credentials.md)
→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)

## Prevention

- **Prefer allowlists over denylists for command validation in AI agent Shell tools.** CWE-77 via regex blacklist is a class of bug, not a one-off: [Flowise CVE-2025-59528](2026-04-flowise-rce-cluster.md) (`eval(mcpServerConfig)`), [Microsoft Semantic Kernel decorator-as-documentation](2026-05-semantic-kernel-rce.md), and [Langflow CVE-2026-33017](2026-03-langflow-rce.md) all stem from "the check function is documentation, not a security boundary."
- **Isolate agents that can execute shell commands.** Any agent with a shell primitive is a potential RCE waiting for the right crafted input. Run it in a minimal container with read-only filesystem mounts and only the specific network endpoints it needs.
- **Treat LLM provider keys as secrets, not config.** If the agent process holds an `ANTHROPIC_API_KEY`, mount it from a secrets manager at runtime rather than baking it into environment variables — so credential rotation doesn't require rebuilding containers.

→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)
→ [prevention/credential-hygiene.md](../prevention/credential-hygiene.md)

## Sources

- [SecurityWeek — Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise](https://www.securityweek.com/vulnerability-in-ms-agent-ai-framework-can-allow-full-system-compromise/) — primary disclosure coverage, technical details on bypass mechanism and impact.
- [NVD — CVE-2026-2256 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-2256) — canonical CVE record; CVSS 6.5 MEDIUM (CISA-ADP; NIST assessment pending), CWE-77, affected versions, PoC reference.
- [CERT/CC — VU#431821](https://www.kb.cert.org/vuls/id/431821) — coordination advisory documenting vendor non-response and confirming unpatched status.
