Intel

AIKIDO-2026-270713

agno is vulnerable to OS Command Injection

OS Command Injection Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jun 24, 2026

71

High Risk

This Affects:

PYTHONagno
1.7.6 - 2.6.12
Fixed in 2.6.13
Are you affected? Scan for Free

TL;DR

The DaytonaTools toolkit builds shell command strings by interpolating file and directory paths directly into commands executed inside the Daytona sandbox. Methods such as run_shell_command, create_file, read_file, list_files, and delete_file pass these path values to the sandbox shell without escaping. A path containing shell metacharacters lets a caller run arbitrary commands inside the sandbox beyond the intended file operation. The fix wraps path-derived values with shlex.quote before interpolation and normalizes paths using POSIX semantics.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application uses the DaytonaTools toolkit with attacker-influenced file or directory paths.

Background info

agno is vulnerable to OS Command Injection in versions 1.7.6 - 2.6.12.

How to fix this

Upgrade the agno library to the patch version.