{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-exposure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003e= 4.5.115, \u003c 4.6.61)"],"_cs_severities":["high"],"_cs_tags":["incomplete-fix","authentication-bypass","api-server","misconfiguration","data-exposure","praisonai"],"_cs_type":"advisory","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eA critical vulnerability exists in PraisonAI, affecting versions \u003ccode\u003e4.5.115\u003c/code\u003e through \u003ccode\u003e4.6.60\u003c/code\u003e, stemming from an incomplete fix for a previously disclosed unauthenticated access issue (GHSA-f292-66h9-fpmf). When an operator starts the A2U (Agent-to-User) event stream server using the documented \u003ccode\u003epraisonai serve a2u\u003c/code\u003e CLI command without explicitly configuring the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable, the server runs without any authentication. This default behavior contradicts the secure-by-default posture implied by the previous fix and current documentation, allowing unauthenticated access to sensitive agent event streams such as responses, tool calls, thinking/progress events, and stream metadata. Attackers can leverage this oversight to gain unauthorized insight into agent activities and potentially exfiltrate sensitive operational data if the server is exposed on a network interface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn operator installs PraisonAI versions between \u003ccode\u003e4.5.115\u003c/code\u003e and \u003ccode\u003e4.6.60\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe operator starts the A2U server using the command \u003ccode\u003epraisonai serve a2u --host 0.0.0.0 --port 8002\u003c/code\u003e (or similar) without setting the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003e_create_a2u_app()\u003c/code\u003e function in \u003ccode\u003esrc/praisonai/praisonai/cli/features/serve.py\u003c/code\u003e registers A2U routes.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecreate_a2u_routes()\u003c/code\u003e function in \u003ccode\u003esrc/praisonai/praisonai/endpoints/a2u_server.py\u003c/code\u003e checks for \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e via \u003ccode\u003eos.environ.get()\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSince \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e is not set, the authentication mechanism (\u003ccode\u003e_authenticate_request()\u003c/code\u003e) returns \u003ccode\u003eNone\u003c/code\u003e, effectively disabling authentication for all A2U endpoints.\u003c/li\u003e\n\u003cli\u003eAn unauthenticated attacker makes an HTTP GET request to \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, or \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e on the exposed PraisonAI A2U server.\u003c/li\u003e\n\u003cli\u003eThe server responds with sensitive agent event stream data, including agent responses, tool calls, thinking/progress events, and stream metadata, without requiring any credentials.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully exfiltrates sensitive operational data or gains intelligence on agent activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eAttackers who can reach an unauthenticated PraisonAI A2U server are able to subscribe to sensitive agent event streams without credentials. This exposed data includes agent responses, details of tool calls, internal thinking/progress events, and stream metadata. Organizations relying on PraisonAI and believing the previously announced fix or the secure-by-default documentation may inadvertently deploy the A2U server on network interfaces, exposing these streams. This could lead to the unauthorized disclosure of proprietary operational logic, sensitive internal data processed by agents, or intelligence on ongoing tasks, potentially compromising business operations, intellectual property, or client data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003eUpgrade PraisonAI to a patched version\u003c/strong\u003e: Ensure all PraisonAI installations are updated to version \u003ccode\u003e4.6.61\u003c/code\u003e or later, as specified in the affected range \u003ccode\u003epip:praisonai \u0026gt;= 4.5.115, \u0026lt; 4.6.61\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Authentication\u003c/strong\u003e: For any PraisonAI A2U server currently deployed, explicitly set the \u003ccode\u003eA2U_AUTH_TOKEN\u003c/code\u003e environment variable before starting the \u003ccode\u003epraisonai serve a2u\u003c/code\u003e command to enforce authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy the Sigma rules\u003c/strong\u003e: Deploy the provided Sigma rules to detect unauthenticated access attempts to A2U endpoints in webserver logs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eReview deployment configurations\u003c/strong\u003e: Audit existing \u003ccode\u003epraisonai serve a2u\u003c/code\u003e deployments to confirm that \u003ccode\u003e--host 0.0.0.0\u003c/code\u003e is not used without proper authentication enabled, or that network segmentation limits access to trusted internal hosts only.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:00:49Z","date_published":"2026-06-18T15:00:49Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-unauth-a2u/","summary":"An incomplete fix in PraisonAI's `praisonai serve a2u` command leaves the A2U Agent-to-User event stream server unauthenticated by default, potentially exposing sensitive agent event streams to any attacker who can reach the server, bypassing intended authentication mechanisms for versions `4.5.115` to `4.6.60`.","title":"PraisonAI A2U Incomplete Authentication Fix (GHSA-jxcw-qp4h-6jfq)","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-unauth-a2u/"}],"language":"en","title":"CraftedSignal Threat Feed - Data-Exposure","version":"https://jsonfeed.org/version/1.1"}