Skip to content
Threat Feed
high advisory

Authentication Bypass in PraisonAI Call API via Host Header Spoofing (CVE-2026-61435)

PraisonAI versions prior to 4.6.78 contain an authentication bypass vulnerability in the Call API agent invocation endpoints when PRAISONAI_CALL_AUTH=disabled is configured, allowing an unauthenticated attacker to remotely list and invoke registered agents by sending a spoofed 'Host: 127.0.0.1' HTTP header.

CVE-2026-61435 describes a high-severity authentication bypass vulnerability affecting PraisonAI software versions prior to 4.6.78. This flaw specifically impacts the Call API agent invocation endpoints, located in src/praisonai/praisonai/api/agent_invoke.py, when the PRAISONAI_CALL_AUTH=disabled configuration option is enabled. The vulnerability stems from an insecure method of deriving the bind host for a localhost-only safeguard. Instead of using a trusted source, the system relies on the request.url.hostname value, which is populated directly from the client-controlled HTTP Host header. A remote, unauthenticated attacker can exploit this by crafting a request with a spoofed Host: 127.0.0.1 header. This malicious request bypasses the intended localhost-only restriction, enabling the attacker to list all registered agents and invoke them without any authentication, potentially leading to unauthorized access, command execution, or data manipulation depending on the capabilities of the agents.

Attack Chain

  1. An attacker identifies a PraisonAI instance exposed to the network, likely through reconnaissance or internet-wide scanning.
  2. The attacker determines that the target PraisonAI instance is configured with PRAISONAI_CALL_AUTH=disabled.
  3. The attacker crafts an HTTP GET request to the /api/v1/agents endpoint, including a spoofed Host: 127.0.0.1 header.
  4. The PraisonAI server processes the request, mistakenly identifying it as a local request due to the spoofed Host header, and bypasses the authentication check.
  5. The server responds to the attacker with a list of all registered agents on the system, including their agent_id values.
  6. Using the obtained agent_id, the attacker crafts an HTTP POST request to the /api/v1/agents/{agent_id}/invoke endpoint, again including the spoofed Host: 127.0.0.1 header.
  7. The PraisonAI server invokes the specified agent without requiring authentication, allowing the attacker to execute arbitrary actions defined by the agent's functionality.
  8. This results in unauthorized control over PraisonAI agents, leading to potential data exposure, system modification, or further compromise.

Impact

Successful exploitation of CVE-2026-61435 grants an unauthenticated, remote attacker full unauthorized access to list and invoke any registered PraisonAI agent. The impact can range from information disclosure, such as gaining insights into the agents' configurations and capabilities, to significant system compromise. Depending on the functions and permissions of the invoked agents, an attacker could potentially execute arbitrary code, exfiltrate sensitive data, manipulate internal processes, or disrupt services. The broad nature of "agent invocation" implies a high degree of control over the PraisonAI environment and any systems or data the agents can access.

Recommendation

  • Immediately upgrade PraisonAI to version 4.6.78 or later to patch CVE-2026-61435.
  • Review your PraisonAI configuration and ensure PRAISONAI_CALL_AUTH is not set to disabled unless absolutely necessary and appropriate compensating controls are in place.
  • Deploy the Sigma rule "Detects CVE-2026-61435 Exploitation - PraisonAI Authentication Bypass" to your SIEM and investigate any alerts. This rule specifically targets the Host header spoofing behavior.
  • Monitor webserver logs for HTTP requests to /api/v1/agents or /api/v1/agents/{agent_id}/invoke endpoints that include a Host: 127.0.0.1 header from external IP addresses.

Detection coverage 1

Detects CVE-2026-61435 Exploitation - PraisonAI Authentication Bypass

high

Detects CVE-2026-61435 exploitation by monitoring webserver logs for HTTP requests to PraisonAI agent API endpoints with a spoofed Host: 127.0.0.1 header, indicating an authentication bypass attempt.

sigma tactics: initial_access, privilege_escalation techniques: T1068, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →