Network-AI: Improper Neutralization of Special Elements used in an OS Command (CVE-2026-54051)

A critical command injection vulnerability, tracked as CVE-2026-54051, exists in the network-ai npm package, specifically affecting versions prior to 5.9.1. The flaw stems from a mismatch between the SandboxPolicy.isCommandAllowed function, which performs allowlist glob-matching on the entire command string, and the ShellExecutor which then executes this string directly via /bin/sh -c. This discrepancy allows an attacker to inject shell metacharacters (e.g., ;, |, $(...)) into a command that would otherwise be approved by a broad wildcard allowlist entry (e.g., git *, npm *). This bypasses the intended security control meant to contain a compromised agent, enabling arbitrary command execution with the privileges of the orchestrator process on Linux and macOS systems. The vulnerability was publicly disclosed on June 19, 2026, via a GitHub Security Advisory (GHSA-qw6v-5fcf-5666).

Attack Chain

1. An attacker compromises or controls a network-ai agent process.
2. The network-ai orchestrator's SandboxPolicy includes a broad wildcard allowlist entry for commands (e.g., git *, npm *, node *).
3. The attacker crafts a malicious command string containing shell metacharacters, such as git status; id > /tmp/pwned.txt.
4. The SandboxPolicy.isCommandAllowed function evaluates the full malicious string, and due to the glob-matching logic, it incorrectly determines the command is allowed.
5. The ShellExecutor.execute method proceeds to execute the approved string by invoking /bin/sh -c "git status; id > /tmp/pwned.txt".
6. The /bin/sh interpreter processes the shell metacharacters (specifically the semicolon), executing both git status and the injected id > /tmp/pwned.txt command.
7. Arbitrary command execution is achieved, typically as the orchestrator process, allowing the attacker to bypass the intended sandbox controls and potentially escalate privileges or exfiltrate data.

Impact

Successful exploitation of CVE-2026-54051 leads to arbitrary command execution on the system running the network-ai orchestrator process. This vulnerability completely undermines the primary security mechanism designed to prevent a compromised agent from executing unauthorized commands. Attackers can leverage this to gain full control over the orchestrator, leading to data exfiltration, further lateral movement, or deployment of additional malicious payloads. While specific victim numbers are not provided, any organization utilizing network-ai with broad wildcard allowlist entries in its SandboxPolicy on Linux or macOS systems is susceptible to this critical flaw.

Recommendation

• Upgrade immediately: Update network-ai package to version 5.9.1 or later to apply the patch for CVE-2026-54051.
• Refine allowlists: Review and harden SandboxPolicy allowlist configurations, avoiding overly broad wildcard entries like node * or npm * even after patching.
• Enable logging: Ensure process_creation logging (e.g., via Sysmon for Linux/macOS) is enabled to capture execution of shell interpreters and their command-line arguments.
• Deploy Sigma rules: Deploy the provided Sigma rules to detect suspicious sh -c invocations and anomalous command executions.