CVE-2026-54051 is a critical-severity OS command injection vulnerability in network-ai (npm), affecting versions < 5.9.1. It is fixed in 5.9.1.
Summary The agent sandbox gates shell commands behind an allowlist (SandboxPolicy.isCommandAllowed), which THREAT_MODEL.md calls the main control against a compromised agent (Adversary 3.2). The allowlist glob-matches the whole command string, but ShellExecutor runs that string through /bin/sh -c. So any wildcard allow such as git , npm or node also matches git status; <anything>, and a scoped command becomes arbitrary execution. Root cause Matching and execution disagree on what a command is. Lines pinned to 40e42d7 (lib/agent-runtime.ts is identical to the v5.8.5 tag). isCommandAllowed matches the full string, with no tokenizing and no metacharacter check: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L248-L260 globMatch compiles to . and anchors it, so git becomes ^git .$ and matches git status; id: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L353-L360 ShellExecutor.execute only checks isCommandAllowed, never requiresApproval: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L387-L391 spawnCommand runs the approved string via /bin/sh -c, so ;, | and $(...) are interpreted by the shell: https://github.com/Jovancoding/Network-AI/blob/40e42d7a0a966b948953b3c524cf15355d20ef5e/lib/agent-runtime.ts#L427-L431 Reachability Any agent or caller allowed to run commands hits this when the operator allowlist has a wildcard entry. A plain git is enough. No fresh-install precondition and no extra misconfiguration. PoC Installs [email protected], allows git , then runs git status; id > marker. The allowlist accepts it and the injected id runs. Run: npm i [email protected] && node poc-316.js Output: Impact Arbitrary command execution as the orchestrator process. It defeats the one control meant to contain a compromised agent, so any agent with a single wildcard allow (git , npm , node ) can run anything. node and npm are direct code exec even without metacharacters. Possible fix Do not run agent commands through a shell. Parse to argv and spawn(file, args, { shell: false }), allowlist on the executable plus argument patterns, and reject shell metacharacters. Anchoring the regex alone is not enough; the whole-string match plus /bin/sh -c is the bug. Patch Fixed in v5.9.1 (commit 379f776). ShellExecutor now executes via spawn(file, args, { shell: false }) using a quote-aware parsed argv, so no shell is invoked. SandboxPolicy.isCommandAllowed and the new SandboxPolicy.tokenizeCommand reject any unquoted shell metacharacter (; & | $ ( ) < > { } newline) or unterminated quote before the allowlist glob match; quoted metacharacters are preserved as literal argument data. Remediation: upgrade to [email protected] or later. As defense in depth, avoid broad wildcard allowlist entries such as node / npm ` which are direct code execution by design.
Untrusted input reaches a shell command, allowing arbitrary commands to run on the host. Typical impact: code execution in the application's environment.
CVE-2026-54051 has a CVSS score of 9.9 (Critical). The vector is network-reachable, low privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (5.9.1). Upgrading removes the vulnerable code path.
npm
network-ai (< 5.9.1)network-ai → 5.9.1 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-54051 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-54051 is reachable in your applications. Get a demo
Upgrade network-ai to 5.9.1 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-54051 is a critical-severity OS command injection vulnerability in network-ai (npm), affecting versions < 5.9.1. It is fixed in 5.9.1. Untrusted input reaches a shell command, allowing arbitrary commands to run on the host.
CVE-2026-54051 has a CVSS score of 9.9 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
network-ai (npm) versions < 5.9.1 is affected.
Yes. CVE-2026-54051 is fixed in 5.9.1. Upgrade to this version or later.
Whether CVE-2026-54051 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade network-ai to 5.9.1 or later.