Praisonai (< 4.6.61) - CraftedSignal Threat Feed

PraisonAI Authentication Bypass via PRAISONAI_CALL_AUTH=disabled

hello@craftedsignal.io — Thu, 18 Jun 2026 14:55:58 +0000

A critical authentication bypass exists in PraisonAI, affecting versions prior to 4.6.61. The vulnerability stems from an undocumented "feature" where setting the PRAISONAI_CALL_AUTH=disabled environment variable completely deactivates authentication for the /api/v1/agents/{id}/invoke endpoint. This misconfiguration is highly likely to be present in production Docker and Docker Compose deployments due to the application's own error messages explicitly advertising this bypass as a convenience option. Attackers can leverage this to gain full unauthenticated access to agent invocation functionalities, enabling them to trigger any registered agent and potentially execute arbitrary actions depending on the agent's configured tools, leading to severe compromise of the host system or connected services.

Attack Chain

Reconnaissance: An attacker identifies an internet-facing PraisonAI instance, typically deployed via Docker or Docker Compose.
Vulnerability Identification: The attacker attempts to interact with the /api/v1/agents/{id}/invoke endpoint without authentication, potentially observing error messages that suggest setting PRAISONAI_CALL_AUTH=disabled to bypass auth, confirming the misconfiguration.
Unauthenticated API Call: The attacker constructs a POST request to /api/v1/agents/{agent_id}/invoke with a malicious payload, targeting a known or guessed agent ID, and sends it to the vulnerable PraisonAI instance without providing any authentication credentials.
Agent Triggering: Due to the PRAISONAI_CALL_AUTH=disabled setting, the PraisonAI server bypasses all authentication checks and processes the unauthenticated request, triggering the specified agent.
Execution via Agent Tools: The activated agent, configured with specific tools (e.g., shell access, Python interpreter, API keys), executes arbitrary actions as dictated by the attacker's payload injected via the invoke endpoint.
Impact: This unauthenticated execution leads to consequences such as data exfiltration, remote code execution, system compromise, or further lateral movement within the compromised environment.

Impact

The primary impact of this vulnerability is full unauthenticated access to the PraisonAI agent invocation API. If exploited, an attacker can trigger any registered agent on the server without needing valid credentials. This means that if an agent has been configured with access to sensitive systems or functionalities (e.g., shell command execution, database access, cloud API keys), the attacker can leverage these capabilities to execute arbitrary actions. This can result in data exfiltration, privilege escalation, remote code execution, or complete compromise of the underlying server and connected resources. The ease of exploitation and potential for severe consequences makes this a critical security concern for organizations running affected PraisonAI versions.

Recommendation

Immediately update PraisonAI instances to version 4.6.61 or newer to remediate the vulnerability.
Review all Dockerfiles, Docker Compose configurations, and environment variable settings for PraisonAI deployments to ensure PRAISONAI_CALL_AUTH=disabled is not present, or is explicitly set to enabled.
Deploy the provided Detect PraisonAI Unauthenticated Agent Invocation Sigma rule to your SIEM to monitor for exploitation attempts against the /api/v1/agents/{id}/invoke endpoint.
Deploy the provided Detect PraisonAI PRAISONAI_CALL_AUTH=disabled Misconfiguration Sigma rule to your EDR/SIEM to identify systems misconfigured with the vulnerable environment variable.
Implement strict network access controls to limit access to PraisonAI instances, particularly the /api/v1/agents/{id}/invoke API endpoint, to only trusted internal networks or specific services.

PraisonAI `multiedit` Tool Vulnerability Allows Arbitrary File Read/Write and RCE

hello@craftedsignal.io — Thu, 18 Jun 2026 14:47:14 +0000

A severe arbitrary file read and write vulnerability has been discovered in the multiedit tool within the PraisonAI framework, impacting versions prior to 4.6.61. This flaw, tracked as GHSA-29w3-p9w9-wc47, arises from a complete lack of path validation, workspace boundary checks, or protected path guards when the filepath parameter is used with open() for both read and write operations. Threat actors can exploit this by crafting malicious prompts, user inputs in chatbots, or YAML workflow configurations that influence an AI agent's arguments to the multiedit tool. This allows for the exfiltration of sensitive information, such as SSH keys and cloud credentials, and the overwrite of critical system or application files, potentially leading to privilege escalation and remote code execution on affected systems.

Attack Chain

Initial Access: A threat actor crafts malicious input (e.g., a specially designed prompt, a user message in a chatbot, or a YAML workflow configuration) to influence the arguments of an AI agent utilizing the PraisonAI framework.
Agent Interaction: The AI agent, operating with the vulnerable PraisonAI multiedit tool, receives and processes the attacker-controlled input, which specifies a malicious filepath parameter.
Tool Execution: The AI agent invokes the multiedit tool (e.g., via python -c "import praisonai.tools.multiedit; multiedit('/etc/shadow', ...)") with the unvalidated filepath.
Arbitrary File Read: The multiedit tool, due to missing path validation, attempts to read content from the attacker-specified sensitive file (e.g., /etc/shadow, ~/.ssh/id_rsa) and leaks it via the dry_run output or other return mechanisms.
Arbitrary File Write: Simultaneously or subsequently, the attacker can use the multiedit tool to write to or overwrite critical system or user configuration files (e.g., ~/.bashrc, ~/.ssh/authorized_keys, web application source code).
Privilege Escalation / Persistence: By writing to files like authorized_keys or shell startup scripts, the attacker establishes persistence, gains elevated privileges, or achieves remote code execution upon the next login or script execution.
Impact: The attacker exfiltrates sensitive data (step 4) or executes arbitrary commands (step 6), leading to full system compromise, data destruction, or further network lateral movement.

Impact

This vulnerability poses a critical risk to PraisonAI deployments, particularly where AI agents interact with user-provided input or process untrusted configurations with auto_approve_tools=True. Successful exploitation allows attackers, who can influence the filepath parameter, to read any file accessible by the PraisonAI process user, including highly sensitive data like SSH private keys (~/.ssh/id_rsa), AWS credentials (~/.aws/credentials), /etc/shadow, and .env files. Furthermore, attackers can overwrite arbitrary files, enabling various destructive outcomes such as defacing web applications, injecting malicious scripts into startup files (.bashrc), or gaining persistent access and privilege escalation by writing to authorized_keys. The broad impact on confidentiality, integrity, and availability makes this a severe threat for affected organizations.

Recommendation

Upgrade the praisonai package to version 4.6.61 or later immediately to remediate the GHSA-29w3-p9w9-wc47 vulnerability.
Deploy the provided Sigma rules to your SIEM for detection of suspicious Python activity targeting sensitive files.
Ensure Sysmon process-creation and file-event logging is enabled on systems running PraisonAI agents to activate the rules above.
If possible, configure PraisonAI agents to require explicit approval for tool usage (e.g., using @require_approval(risk_level="high") on sensitive tools) instead of auto_approve_tools=True.