Artificial Intelligence Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise Improper input sanitization in the framework can be exploited through the Shell tool, allowing attackers to modify system files and steal data. By Ionut Arghire | March 3, 2026 (5:43 AM ET) Flipboard Reddit Whatsapp Whatsapp Email A vulnerability in the ModelScope MS-Agent framework can be exploited via crafted input to execute arbitrary OS commands. MS-Agent is an open source framework for creating AI agents capable of generating code, analyzing data, and interacting with other tools, based on MCP (Model Calling Protocol). Tracked as CVE-2026-2256 , the bug exists because MS-Agent’s Shell tool, which enables agents to execute OS commands on the host, fails to properly sanitize input. The tool does implement a check function to filter dangerous commands, but it uses a regex-based blacklist for that, which is a known unsafe pattern, security researcher Itamar Yochpaz explains . The shortcomings lead the Shell tool to interpret an attacker’s entire command string as executable logic, thereby bypassing safety checks. Despite the implementation of six validation layers before command execution, the function allows attackers to execute arbitrary code via trusted interpreters, exfiltrate data via allowed network utilities, and bypass tokenization via shell parsing semantics, Yochpaz says. Advertisement. Scroll to continue reading. “An attacker can exploit this flaw by injecting crafted content into data sources consumed by the agent, such as prompts, documents, logs, or research inputs, without requiring direct shell access or explicit operator misuse,” the researcher notes. An attacker can supply content designed to instruct the agent into selecting the Shell tool, which results in the agent formulating a shell command string containing the attacker-influenced text, Yochpaz explains. The way the shell interprets the command at execution time results in blacklist checks being bypassed and the execution of attacker-influenced logic, leading to command execution within the agent’s runtime context. “As a result, arbitrary commands can be executed with the privileges of the MS-Agent process on the host system as part of the agent’s normal execution flow, potentially leading to full host compromise,” Yochpaz notes. Successful exploitation of the bug allows an attacker to read secrets such as API keys, tokens, and configuration files, drop payloads on the host, modify the workspace state, establish persistence, pivot to internal services and adjacent systems, and inject input into build outputs, reports, or files that are consumed downstream. The vulnerability was discovered in MS-Agent version 1.5.2. According to a CERT/CC advisory , the vendor has not responded during coordination efforts. “Users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized. Agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution,” the advisory reads. Related: Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant Related: OpenClaw Vulnerability Allowed Websites to Hijack AI Agents Related: Anthropic Refuses to Bend to Pentagon on AI Safeguards as Dispute Nears Deadline Related: The Blast Radius Problem: Stolen Credentials Are Weaponizing Agentic AI Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Hackers Weaponize Claude Code in Mexican Government Cyberattack Canadian Tire Data Breach Impacts 38 Million Accounts 38 Million Allegedly Impacted by ManoMano Data Breach 900 Sangoma FreePBX Instances Infected With Web Shells Aeternum Botnet Loader Employs Polygon Blockchain C&C to Boost Resilience Gambit Security Emerges From Stealth With $61 Million in Funding Zyxel Patches Critical Vulnerability in Many Device Models US Sanctions Russian Exploit Broker Operation Zero Latest News Researchers Uncover Method to Track Cars via Tire Sensors Vulnerability Allowed Hijacking Chrome’s Gemini Live AI Assistant OpenClaw Vulnerability Allowed Websites to Hijack AI Agents Madison Square Garden Data Breach Confirmed Months After Hacker Attack Nick Andersen Appointed Acting Director of CISA AWS Expands Security Hub Into a Cross-Domain Security Platform North Korean APT Targets Air-Gapped Systems in Recent Campaign Google Working Towards Quantum-Safe Chrome HTTPS Certificates Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Identity Under Attack: Why Every Business Must Respond Now February 11, 2026 Attendees will walk away with guidance for how to build robust identity defenses, unify them under a consistent security model, and ensure business operations move quickly without compromise. Register Virtual Event: Ransomware Resilience & Recovery 2026 Summit February 25, 2026 SecurityWeek’s 2026 Ransomware Summit will discuss a roadmap for defending the enterprise, from mitigating root causes to mastering recovery, giving security teams the critical insights needed to navigate and neutralize today’s ransomware extortion threats. Submit People on the Move Nick Andersen has been appointed Acting Director of CISA after the departure of Madhu Gottumukkala. Predictive revenue system company Clari + Salesloft has named Peter Liebert as CISO. Nscale has appointed Latha Maripuri as Chief Information Security Officer. More People On The Move Expert Insights Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Why We Can’t Let AI Take the Wheel of Cyber Defense The fastest way to squander the promise of AI is to mistake automation for assurance, and novelty for resilience. (Steve Durbin) Flipboard Reddit Whatsapp Whatsapp Email