A vulnerability in the ModelScope MS-Agent framework, tracked as CVE-2026-2256, can be exploited through crafted input to execute arbitrary OS commands, potentially allowing full system compromise. The flaw resides in MS-Agent’s Shell tool, which runs host commands but fails to sanitise input properly, despite six validation layers prior to execution.
A security researcher explains that the tool’s regex-based blacklist is unsafe, enabling attackers to bypass safety checks by having the command string interpreted as executable logic. An attacker can inject content into data sources consumed by the agent—such as prompts, documents or logs—to cause the agent to select the Shell tool and generate a shell command containing attacker-influenced text, bypassing blacklist checks during execution.
As a result, commands can run with the privileges of the MS-Agent process, potentially allowing the attacker to read secrets, drop payloads, modify workspace state, establish persistence and pivot to internal services, potentially leading to full host compromise, according to the CERT/CC advisory. The vulnerability was discovered in MS-Agent version 1.5.2, and the advisory recommends deploying only in trusted environments, sandboxing shell-enabled agents, and replacing denylist filtering with strict allowlists.