{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai--4.6.61/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003c 4.6.61)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","authentication-bypass","api-exploitation","misconfiguration","container"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA critical authentication bypass exists in PraisonAI, affecting versions prior to 4.6.61. The vulnerability stems from an undocumented \u0026quot;feature\u0026quot; where setting the \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e environment variable completely deactivates authentication for the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint. This misconfiguration is highly likely to be present in production Docker and Docker Compose deployments due to the application's own error messages explicitly advertising this bypass as a convenience option. Attackers can leverage this to gain full unauthenticated access to agent invocation functionalities, enabling them to trigger any registered agent and potentially execute arbitrary actions depending on the agent's configured tools, leading to severe compromise of the host system or connected services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies an internet-facing PraisonAI instance, typically deployed via Docker or Docker Compose.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker attempts to interact with the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint without authentication, potentially observing error messages that suggest setting \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e to bypass auth, confirming the misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated API Call\u003c/strong\u003e: The attacker constructs a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e with a malicious payload, targeting a known or guessed agent ID, and sends it to the vulnerable PraisonAI instance without providing any authentication credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Triggering\u003c/strong\u003e: Due to the \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e setting, the PraisonAI server bypasses all authentication checks and processes the unauthenticated request, triggering the specified agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via Agent Tools\u003c/strong\u003e: The activated agent, configured with specific tools (e.g., shell access, Python interpreter, API keys), executes arbitrary actions as dictated by the attacker's payload injected via the \u003ccode\u003einvoke\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: This unauthenticated execution leads to consequences such as data exfiltration, remote code execution, system compromise, or further lateral movement within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is full unauthenticated access to the PraisonAI agent invocation API. If exploited, an attacker can trigger any registered agent on the server without needing valid credentials. This means that if an agent has been configured with access to sensitive systems or functionalities (e.g., shell command execution, database access, cloud API keys), the attacker can leverage these capabilities to execute arbitrary actions. This can result in data exfiltration, privilege escalation, remote code execution, or complete compromise of the underlying server and connected resources. The ease of exploitation and potential for severe consequences makes this a critical security concern for organizations running affected PraisonAI versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update PraisonAI instances to version \u003ccode\u003e4.6.61\u003c/code\u003e or newer to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview all Dockerfiles, Docker Compose configurations, and environment variable settings for PraisonAI deployments to ensure \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e is not present, or is explicitly set to \u003ccode\u003eenabled\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided \u003ccode\u003eDetect PraisonAI Unauthenticated Agent Invocation\u003c/code\u003e Sigma rule to your SIEM to monitor for exploitation attempts against the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the provided \u003ccode\u003eDetect PraisonAI PRAISONAI_CALL_AUTH=disabled Misconfiguration\u003c/code\u003e Sigma rule to your EDR/SIEM to identify systems misconfigured with the vulnerable environment variable.\u003c/li\u003e\n\u003cli\u003eImplement strict network access controls to limit access to PraisonAI instances, particularly the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e API endpoint, to only trusted internal networks or specific services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:55:58Z","date_published":"2026-06-18T14:55:58Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-auth-bypass/","summary":"A high-severity authentication bypass vulnerability in PraisonAI versions prior to 4.6.61 allows unauthenticated attackers to invoke any registered agent by setting the `PRAISONAI_CALL_AUTH=disabled` environment variable, potentially leading to arbitrary code execution or system compromise.","title":"PraisonAI Authentication Bypass via PRAISONAI_CALL_AUTH=disabled","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003c 4.6.61)"],"_cs_severities":["critical"],"_cs_tags":["LLM","AI","supply-chain","arbitrary-file-read","arbitrary-file-write","path-traversal","RCE"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA severe arbitrary file read and write vulnerability has been discovered in the \u003ccode\u003emultiedit\u003c/code\u003e tool within the PraisonAI framework, impacting versions prior to 4.6.61. This flaw, tracked as GHSA-29w3-p9w9-wc47, arises from a complete lack of path validation, workspace boundary checks, or protected path guards when the \u003ccode\u003efilepath\u003c/code\u003e parameter is used with \u003ccode\u003eopen()\u003c/code\u003e for both read and write operations. Threat actors can exploit this by crafting malicious prompts, user inputs in chatbots, or YAML workflow configurations that influence an AI agent's arguments to the \u003ccode\u003emultiedit\u003c/code\u003e tool. This allows for the exfiltration of sensitive information, such as SSH keys and cloud credentials, and the overwrite of critical system or application files, potentially leading to privilege escalation and remote code execution on affected systems.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access\u003c/strong\u003e: A threat actor crafts malicious input (e.g., a specially designed prompt, a user message in a chatbot, or a YAML workflow configuration) to influence the arguments of an AI agent utilizing the PraisonAI framework.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Interaction\u003c/strong\u003e: The AI agent, operating with the vulnerable PraisonAI \u003ccode\u003emultiedit\u003c/code\u003e tool, receives and processes the attacker-controlled input, which specifies a malicious \u003ccode\u003efilepath\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTool Execution\u003c/strong\u003e: The AI agent invokes the \u003ccode\u003emultiedit\u003c/code\u003e tool (e.g., via \u003ccode\u003epython -c \u0026quot;import praisonai.tools.multiedit; multiedit('/etc/shadow', ...)\u0026quot;\u003c/code\u003e) with the unvalidated \u003ccode\u003efilepath\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Read\u003c/strong\u003e: The \u003ccode\u003emultiedit\u003c/code\u003e tool, due to missing path validation, attempts to read content from the attacker-specified sensitive file (e.g., \u003ccode\u003e/etc/shadow\u003c/code\u003e, \u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e) and leaks it via the \u003ccode\u003edry_run\u003c/code\u003e output or other return mechanisms.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eArbitrary File Write\u003c/strong\u003e: Simultaneously or subsequently, the attacker can use the \u003ccode\u003emultiedit\u003c/code\u003e tool to write to or overwrite critical system or user configuration files (e.g., \u003ccode\u003e~/.bashrc\u003c/code\u003e, \u003ccode\u003e~/.ssh/authorized_keys\u003c/code\u003e, web application source code).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation / Persistence\u003c/strong\u003e: By writing to files like \u003ccode\u003eauthorized_keys\u003c/code\u003e or shell startup scripts, the attacker establishes persistence, gains elevated privileges, or achieves remote code execution upon the next login or script execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: The attacker exfiltrates sensitive data (step 4) or executes arbitrary commands (step 6), leading to full system compromise, data destruction, or further network lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability poses a critical risk to PraisonAI deployments, particularly where AI agents interact with user-provided input or process untrusted configurations with \u003ccode\u003eauto_approve_tools=True\u003c/code\u003e. Successful exploitation allows attackers, who can influence the \u003ccode\u003efilepath\u003c/code\u003e parameter, to read any file accessible by the PraisonAI process user, including highly sensitive data like SSH private keys (\u003ccode\u003e~/.ssh/id_rsa\u003c/code\u003e), AWS credentials (\u003ccode\u003e~/.aws/credentials\u003c/code\u003e), \u003ccode\u003e/etc/shadow\u003c/code\u003e, and \u003ccode\u003e.env\u003c/code\u003e files. Furthermore, attackers can overwrite arbitrary files, enabling various destructive outcomes such as defacing web applications, injecting malicious scripts into startup files (\u003ccode\u003e.bashrc\u003c/code\u003e), or gaining persistent access and privilege escalation by writing to \u003ccode\u003eauthorized_keys\u003c/code\u003e. The broad impact on confidentiality, integrity, and availability makes this a severe threat for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the \u003ccode\u003epraisonai\u003c/code\u003e package to version \u003ccode\u003e4.6.61\u003c/code\u003e or later immediately to remediate the GHSA-29w3-p9w9-wc47 vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM for detection of suspicious Python activity targeting sensitive files.\u003c/li\u003e\n\u003cli\u003eEnsure Sysmon process-creation and file-event logging is enabled on systems running PraisonAI agents to activate the rules above.\u003c/li\u003e\n\u003cli\u003eIf possible, configure PraisonAI agents to require explicit approval for tool usage (e.g., using \u003ccode\u003e@require_approval(risk_level=\u0026quot;high\u0026quot;)\u003c/code\u003e on sensitive tools) instead of \u003ccode\u003eauto_approve_tools=True\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:47:14Z","date_published":"2026-06-18T14:47:14Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-multiedit-rce/","summary":"A critical vulnerability in PraisonAI's `multiedit` tool, affecting versions prior to 4.6.61, enables threat actors to achieve arbitrary file read and write capabilities by influencing LLM agent tool arguments, leading to sensitive data exfiltration and potential remote code execution.","title":"PraisonAI `multiedit` Tool Vulnerability Allows Arbitrary File Read/Write and RCE","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-multiedit-rce/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonai (\u003c 4.6.61)","version":"https://jsonfeed.org/version/1.1"}