PraisonAI (<= 4.6.39) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/praisonai--4.6.39/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 29 May 2026 22:29:38 +0000PraisonAI Call Server Unauthenticated Agent Control APIhttps://feed.craftedsignal.io/briefs/2026-05-praisonai-unauth-api/Fri, 29 May 2026 22:29:38 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-praisonai-unauth-api/PraisonAI's call server exposes a network-facing agent control API without authentication when `CALL_SERVER_TOKEN` is not configured, allowing attackers to list, inspect, invoke, and unregister agents due to a fail-open authentication default and a default binding to `0.0.0.0`, as tracked by CVE-2026-47396.PraisonAI’s call server is vulnerable to unauthenticated access to its agent control API when the CALL_SERVER_TOKEN environment variable is not set. This occurs because the verify_token() authentication helper in praisonai/api/agent_invoke.py fails open in the absence of the token. The call server is bundled with the vulnerable router and defaults to binding to all interfaces (0.0.0.0). Consequently, operators who launch the call server without setting CALL_SERVER_TOKEN risk exposing an unauthenticated remote agent control plane. This vulnerability affects PraisonAI versions up to and including 4.6.39 and is tracked as CVE-2026-47396.

Attack Chain

  1. The PraisonAI call server is started without setting the CALL_SERVER_TOKEN environment variable.
  2. The praisonai.api.agent_invoke router is mounted by praisonai.api.call.
  3. The call server binds to 0.0.0.0, making it accessible from any reachable client.
  4. An attacker sends an unauthenticated HTTP GET request to /api/v1/agents to list registered agents.
  5. The attacker retrieves agent metadata and instructions by sending an unauthenticated HTTP GET request to /api/v1/agents/{agent_id}.
  6. The attacker invokes an agent by sending an unauthenticated HTTP POST request to /api/v1/agents/{agent_id}/invoke with a crafted message.
  7. The agent executes, potentially triggering downstream tools or external integrations.
  8. The attacker unregisters the agent via an unauthenticated HTTP DELETE request to /api/v1/agents/{agent_id}, disrupting availability.

Impact

Running the PraisonAI call server without setting CALL_SERVER_TOKEN allows any reachable client to enumerate, inspect, invoke, and unregister agents. This can lead to information disclosure, unauthorized agent execution, consumption of model or API budget, disruption of service, and potentially the execution of privileged actions if agents are connected to external APIs, internal systems, or local tools. The severity depends on the deployed agents and their connected tools. This vulnerability is tracked as CVE-2026-47396.

Recommendation

  • Set the CALL_SERVER_TOKEN environment variable when deploying the PraisonAI call server to enable authentication.
  • Deploy the Sigma rule “Detect PraisonAI Unauthenticated Agent Listing” to detect attempts to list agents without authentication by monitoring HTTP GET requests to /api/v1/agents.
  • Deploy the Sigma rule “Detect PraisonAI Unauthenticated Agent Invocation” to detect attempts to invoke agents without authentication by monitoring HTTP POST requests to /api/v1/agents/{agent_id}/invoke.
  • Monitor network connections to the PraisonAI call server to identify potentially unauthorized access attempts, especially if the server is exposed to the internet.
]]>criticaladvisorypraisonaiunauthenticated-accessapi