Critical MS-Agent Vulnerability Allows Full System Takeover via AI Prompt Injection

ModelScope's MS-Agent framework, a tool for autonomous AI workflows, is reported to contain a critical security flaw allowing full system takeover. 

The flaw is tracked as CVE-2026-2256 (CVSS score 9.8) - a command injection vulnerability in the Shell tool component of MS-Agent that occurs due to improper sanitization of user-influenced input. The flaw resides in the check_safe() method, which relies on a weak regular expression-based denylist to filter dangerous commands. Attackers can bypass these filters using alternative encodings or shell syntax variations to execute malicious payloads with the privileges of the MS-Agent process.

Exploiting this flaw allows attackers to achieve remote code execution (RCE) without needing direct access to the host. By injecting malicious content into emails, logs, or web pages that the agent processes, attackers can force the agent to modify or delete critical system files, install persistence mechanisms for long-term access, steal sensitive API keys, tokens, private data and even move laterally across networked systems and cloud environments

The vulnerability affects ModelScope ms-agent versions v1.6.0rc1 and earlier. CERT Coordination Center (CERT/CC) noted that no official patch or vendor statement has been released to address the issue. A public proof-of-concept (PoC) has been published, massively increasing the risk of active exploitation against unpatched installations.

Since no official fix exists, organizations should restrict MS-Agent to isolated, sandboxed environments like containers or virtual machines and run the process with least-privilege permissions. It is highly recommended to disable the built-in Shell tool entirely or replace the existing denylist-based filters with a strict allowlist of approved commands.