A vulnerability in the ModelScope MS-Agent framework poses a risk by allowing the execution of arbitrary operating system commands through specially crafted input.
ModelScope MS-Agent is an open-source framework designed for developing AI agents that can generate code, analyze data, and interface with various tools, utilizing the Model Calling Protocol (MCP).
This issue is identified as CVE-2026-2256. It arises due to a flaw in the Shell tool of MS-Agent, which enables agents to execute commands on the host system. The vulnerability stems from the tool's inadequate input sanitization.
While the Shell tool incorporates a check function intended to filter harmful commands, it relies on a regex-based blacklist, a method that is considered unsafe. Security researcher Itamar Yochpaz detailed this concern in his analysis.
The limitations of this approach allow the Shell tool to perceive an attacker's full command string as executable logic, effectively circumventing safety checks.
Despite having six layers of validation before executing commands, the mechanism permits attackers to run arbitrary code using trusted interpreters, exfiltrate data through allowed network utilities, and bypass tokenization due to shell parsing semantics, according to Yochpaz.
Yochpaz explained, “An attacker can exploit this flaw by injecting crafted content into data sources that the agent consumes, such as prompts, documents, logs, or research inputs, without needing direct shell access or explicit operator misuse.”
An attacker can manipulate the content to direct the agent to use the Shell tool, causing it to create a shell command string that includes the attacker-influenced text.
The execution of the command by the shell at runtime leads to the bypassing of blacklist checks, enabling the execution of attacker-influenced logic within the agent's operational context.
Yochpaz further noted, “As a result, arbitrary commands can be executed with the privileges of the MS-Agent process on the host system as part of the agent’s normal execution flow, potentially resulting in full host compromise.”
If exploited successfully, this vulnerability allows attackers to access sensitive information, including API keys, tokens, and configuration files. It also enables them to drop payloads on the host, alter the workspace state, establish persistence, pivot to internal services and adjacent systems, and inject content into build outputs, reports, or files that are processed downstream.
The vulnerability was identified in MS-Agent version 1.5.2. According to a CERT/CC advisory, there has been no response from the vendor during coordination efforts regarding this issue.
The advisory recommends, “Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or run with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and enforcing stronger isolation boundaries for tool execution.”
