Command injection vulnerability in ModelScope's ms-agent
Description
A command injection vulnerability in ModelScope's ms-agent versions v1.6.0rc1 and earlier exists, allowing an attacker to execute arbitrary operating system commands through crafted prompt-derived input.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in MS-Agent before v1.6.0rc1 allows arbitrary OS command execution via crafted prompt-derived input that bypasses regex-based sanitization.
Vulnerability
Analysis
The vulnerability resides in ModelScope's MS-Agent framework, a lightweight agent architecture supporting autonomous task execution and tool invocation. CVE-2026-2256 affects versions v1.6.0rc1 and earlier. The Shell tool, designed to execute operating system commands as part of agentic actions, fails to adequately sanitize input derived from user prompts or external content. The check_safe() method, intended to filter dangerous commands using a regular expression denylist, can be bypassed, allowing crafted input to reach the shell execution layer [1][3].
Exploitation
Vector
An attacker can exploit this vulnerability through indirect prompt injection. By embedding malicious command sequences in external content that the agent is instructed to process—such as code, documents, or URL responses—the attacker influences the agent to forward those sequences to the Shell tool. Since the regex-based denylist is not sufficient, commands like rm -rf / or other arbitrary OS commands can be executed. No authentication is required beyond the ability to supply crafted input to the agent, making the attack surface broad and accessible via chat interactions or automated processing of attacker-controlled data [2][3].
Impact
Successful exploitation grants the attacker arbitrary command execution on the host system where the MS-Agent framework is deployed. This could lead to full system compromise, data exfiltration, installation of malware, or destructive actions such as deletion of system files. The impact is severe because the agent may operate with elevated privileges to perform its tasks, amplifying the potential damage [2][3][4].
Mitigation
Status
No official patch has been released by the vendor, and no vendor statement was obtained during the coordination process [3]. As of the publication date (2026-03-02), the vulnerability remains unpatched. Users are advised to restrict agent interaction with untrusted content, carefully monitor agent behavior, and consider implementing additional input validation layers or disabling the Shell tool if not essential. Given the lack of a fix, the vulnerability is a high-risk target for exploitation [1][3][4].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ms-agentPyPI | <= 1.6.0rc1 | — |
Affected products
2- Range: <=1.6.0rc1
- ModelScope/ms-agentv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4gc2-344q-r2rwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-2256ghsaADVISORY
- medium.com/@itamar.yochpaz/cve-2026-2256-from-ai-prompt-to-full-system-compromise-a4114c718326ghsaWEB
- www.hiddenlayer.com/research/indirect-prompt-injection-of-claude-computer-useghsaWEB
- www.kb.cert.org/vuls/id/431821ghsaWEB
News mentions
0No linked articles in our index yet.