A vulnerability in ModelScope MS-Agentβs Shell tool (tracked as CVE-2026-2256) allows crafted input to bypass regex-based blacklist checks and execute arbitrary OS commands. An attacker can inject content into prompts, documents, logs, or other inputs to cause the agent to run attacker-influenced shell commands, risking secret theft, payload deployment, workspace modification, persistence, and lateral movement. #MS-Agent #CVE-2026-2256
Keypoints
- The Shell tool in ModelScope MS-Agent (v1.5.2) fails to properly sanitize input, enabling command injection.
- The flaw is tracked as CVE-2026-2256 and arises from an unsafe regex-based blacklist used for filtering.
- An attacker can exploit agent-ingested data (prompts, documents, logs) to induce the agent to execute malicious shell commands.
- Successful exploitation can lead to arbitrary command execution as the MS-Agent process, data exfiltration, persistence, and lateral movement.
- Mitigations include running agents only on trusted input, sandboxing shell capabilities with least privilege, and replacing denylist filters with strict allowlists and stronger isolation.