CISA issues advisory on ms-agent command injection

ModelScope's MS-Agent framework contains a command injection vulnerability that accepts unsanitized prompt-derived input and can result in arbitrary Operating System (OS) command execution on systems where the framework is deployed.

The issue is recorded as CVE-2026-2256 and involves the framework's Shell tool, which is designed to execute commands on the target OS to complete agentic actions. The Shell tool's check_safe() method uses regular expression–based filtering with a default denylist intended to block unsafe commands, but that denylist can be bypassed. The vulnerability can be triggered when an agent is instructed to process or retrieve external content, including tasks such as analyzing code, summarizing documents, or other actions that involve interacting with attacker-controlled data, allowing crafted prompt-derived input to reach the shell execution layer.

Successful exploitation permits execution of arbitrary OS commands with the privileges of the MS-Agent process. This capability may allow modification of system files, lateral movement within the environment, establishment of persistence mechanisms, or exfiltration of sensitive data accessible to the agent.

No vendor statement was provided during coordination. The advisory states users should deploy MS-Agent only in environments where ingested content is trusted, validated, or sanitized, and that agents with shell execution capabilities should be sandboxed or executed with least-privilege permissions. Additional mitigation strategies listed include replacing denylist-based filtering with strict allowlists and implementing stronger isolation boundaries for tool execution.

The report credits Itamar Yochpaz as the reporter and lists Christopher Cullen as the document author; the advisory also includes references to external resources and notes options for contact and for vendors to provide a statement regarding the vulnerability.