A vulnerability in the ModelScope MS-Agent framework can be exploited via crafted input to execute arbitrary OS commands.
MS-Agent is an open source framework for creating AI agents capable of generating code, analyzing data, and interacting with other tools, based on MCP (Model Calling Protocol).
Tracked as CVE-2026-2256, the bug exists because MS-Agent’s Shell tool, which enables agents to execute OS commands on the host, fails to properly sanitize input.
The tool does implement a check function to filter dangerous commands, but it uses a regex-based blacklist for that, which is a known unsafe pattern, security researcher Itamar Yochpaz explains.
The shortcomings lead the Shell tool to interpret an attacker’s entire command string as executable logic, thereby bypassing safety checks.
Despite the implementation of six validation layers before command execution, the function allows attackers to execute arbitrary code via trusted interpreters, exfiltrate data via allowed network utilities, and bypass tokenization via shell parsing semantics, Yochpaz says.
“An attacker can exploit this flaw by injecting crafted content into data sources consumed by the agent, such as prompts, documents, logs, or research inputs, without requiring direct shell access or explicit operator misuse,” the researcher notes.
An attacker can supply content designed to instruct the agent into selecting the Shell tool, which results in the agent formulating a shell command string containing the attacker-influenced text, Yochpaz explains.
The way the shell interprets the command at execution time results in blacklist checks being bypassed and the execution of attacker-influenced logic, leading to command execution within the agent’s runtime context.
“As a result, arbitrary commands can be executed with the privileges of the MS-Agent process on the host system as part of the agent’s normal execution flow, potentially leading to full host compromise,” Yochpaz notes.
Successful exploitation of the bug allows an attacker to read secrets such as API keys, tokens, and configuration files, drop payloads on the host, modify the workspace state, establish persistence, pivot to internal services and adjacent systems, and inject input into build outputs, reports, or files that are consumed downstream.
The vulnerability was discovered in MS-Agent version 1.5.2. According to a CERT/CC advisory, the vendor has not responded during coordination efforts.
“Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution,” the advisory reads.
Related: Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant
Related: OpenClaw Vulnerability Allowed Websites to Hijack AI Agents
Related: Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline
Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI
