{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai--4.6.39/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (\u003c= 4.6.39)"],"_cs_severities":["critical"],"_cs_tags":["praisonai","unauthenticated-access","api"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003ePraisonAI\u0026rsquo;s call server is vulnerable to unauthenticated access to its agent control API when the \u003ccode\u003eCALL_SERVER_TOKEN\u003c/code\u003e environment variable is not set. This occurs because the \u003ccode\u003everify_token()\u003c/code\u003e authentication helper in \u003ccode\u003epraisonai/api/agent_invoke.py\u003c/code\u003e fails open in the absence of the token. The call server is bundled with the vulnerable router and defaults to binding to all interfaces (0.0.0.0). Consequently, operators who launch the call server without setting \u003ccode\u003eCALL_SERVER_TOKEN\u003c/code\u003e risk exposing an unauthenticated remote agent control plane. This vulnerability affects PraisonAI versions up to and including 4.6.39 and is tracked as CVE-2026-47396.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe PraisonAI call server is started without setting the \u003ccode\u003eCALL_SERVER_TOKEN\u003c/code\u003e environment variable.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epraisonai.api.agent_invoke\u003c/code\u003e router is mounted by \u003ccode\u003epraisonai.api.call\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe call server binds to \u003ccode\u003e0.0.0.0\u003c/code\u003e, making it accessible from any reachable client.\u003c/li\u003e\n\u003cli\u003eAn attacker sends an unauthenticated HTTP GET request to \u003ccode\u003e/api/v1/agents\u003c/code\u003e to list registered agents.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves agent metadata and instructions by sending an unauthenticated HTTP GET request to \u003ccode\u003e/api/v1/agents/{agent_id}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker invokes an agent by sending an unauthenticated HTTP POST request to \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e with a crafted message.\u003c/li\u003e\n\u003cli\u003eThe agent executes, potentially triggering downstream tools or external integrations.\u003c/li\u003e\n\u003cli\u003eThe attacker unregisters the agent via an unauthenticated HTTP DELETE request to \u003ccode\u003e/api/v1/agents/{agent_id}\u003c/code\u003e, disrupting availability.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eRunning the PraisonAI call server without setting \u003ccode\u003eCALL_SERVER_TOKEN\u003c/code\u003e allows any reachable client to enumerate, inspect, invoke, and unregister agents. This can lead to information disclosure, unauthorized agent execution, consumption of model or API budget, disruption of service, and potentially the execution of privileged actions if agents are connected to external APIs, internal systems, or local tools. The severity depends on the deployed agents and their connected tools. This vulnerability is tracked as CVE-2026-47396.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eSet the \u003ccode\u003eCALL_SERVER_TOKEN\u003c/code\u003e environment variable when deploying the PraisonAI call server to enable authentication.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Unauthenticated Agent Listing\u0026rdquo; to detect attempts to list agents without authentication by monitoring HTTP GET requests to \u003ccode\u003e/api/v1/agents\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect PraisonAI Unauthenticated Agent Invocation\u0026rdquo; to detect attempts to invoke agents without authentication by monitoring HTTP POST requests to \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the PraisonAI call server to identify potentially unauthorized access attempts, especially if the server is exposed to the internet.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-29T22:29:38Z","date_published":"2026-05-29T22:29:38Z","id":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-unauth-api/","summary":"PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured, allowing attackers to list, inspect, invoke, and unregister agents due to a fail-open authentication default and a default binding to `0.0.0.0`, as tracked by CVE-2026-47396.","title":"PraisonAI Call Server Unauthenticated Agent Control API","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-unauth-api/"}],"language":"en","title":"CraftedSignal Threat Feed — PraisonAI (\u003c= 4.6.39)","version":"https://jsonfeed.org/version/1.1"}