Vulnerability in MS-Agent AI Framework Can Allow Full System Compromise

Improper input sanitization in the framework can be exploited through the Shell tool, allowing attackers to modify system files and steal data.

A vulnerability in the ModelScope MS-Agent framework can be exploited via crafted input to execute arbitrary OS commands.

MS-Agent is an open source framework for creating AI agents capable of generating code, analyzing data, and interacting with other tools, based on MCP (Model Calling Protocol).

Tracked as CVE-2026-2256, the bug exists because MS-Agent’s Shell tool, which enables agents to execute OS commands on the host, fails to properly sanitize input.

The tool does implement a check function to filter dangerous commands, but it uses a regex-based blacklist for that, which is a known unsafe pattern, security researcher Itamar Yochpaz explains.

The shortcomings lead the Shell tool to interpret an attacker’s entire command string as executable logic, thereby bypassing safety checks.

Despite the implementation of six validation ...