{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/rce-potential/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.2,"id":"CVE-2026-61435"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","vulnerability","web-application","rce-potential"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eCVE-2026-61435 describes a high-severity authentication bypass vulnerability affecting PraisonAI software versions prior to 4.6.78. This flaw specifically impacts the Call API agent invocation endpoints, located in \u003ccode\u003esrc/praisonai/praisonai/api/agent_invoke.py\u003c/code\u003e, when the \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e configuration option is enabled. The vulnerability stems from an insecure method of deriving the bind host for a localhost-only safeguard. Instead of using a trusted source, the system relies on the \u003ccode\u003erequest.url.hostname\u003c/code\u003e value, which is populated directly from the client-controlled HTTP \u003ccode\u003eHost\u003c/code\u003e header. A remote, unauthenticated attacker can exploit this by crafting a request with a spoofed \u003ccode\u003eHost: 127.0.0.1\u003c/code\u003e header. This malicious request bypasses the intended localhost-only restriction, enabling the attacker to list all registered agents and invoke them without any authentication, potentially leading to unauthorized access, command execution, or data manipulation depending on the capabilities of the agents.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a PraisonAI instance exposed to the network, likely through reconnaissance or internet-wide scanning.\u003c/li\u003e\n\u003cli\u003eThe attacker determines that the target PraisonAI instance is configured with \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to the \u003ccode\u003e/api/v1/agents\u003c/code\u003e endpoint, including a spoofed \u003ccode\u003eHost: 127.0.0.1\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server processes the request, mistakenly identifying it as a local request due to the spoofed \u003ccode\u003eHost\u003c/code\u003e header, and bypasses the authentication check.\u003c/li\u003e\n\u003cli\u003eThe server responds to the attacker with a list of all registered agents on the system, including their \u003ccode\u003eagent_id\u003c/code\u003e values.\u003c/li\u003e\n\u003cli\u003eUsing the obtained \u003ccode\u003eagent_id\u003c/code\u003e, the attacker crafts an HTTP POST request to the \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e endpoint, again including the spoofed \u003ccode\u003eHost: 127.0.0.1\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe PraisonAI server invokes the specified agent without requiring authentication, allowing the attacker to execute arbitrary actions defined by the agent's functionality.\u003c/li\u003e\n\u003cli\u003eThis results in unauthorized control over PraisonAI agents, leading to potential data exposure, system modification, or further compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61435 grants an unauthenticated, remote attacker full unauthorized access to list and invoke any registered PraisonAI agent. The impact can range from information disclosure, such as gaining insights into the agents' configurations and capabilities, to significant system compromise. Depending on the functions and permissions of the invoked agents, an attacker could potentially execute arbitrary code, exfiltrate sensitive data, manipulate internal processes, or disrupt services. The broad nature of \u0026quot;agent invocation\u0026quot; implies a high degree of control over the PraisonAI environment and any systems or data the agents can access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade PraisonAI to version 4.6.78 or later to patch CVE-2026-61435.\u003c/li\u003e\n\u003cli\u003eReview your PraisonAI configuration and ensure \u003ccode\u003ePRAISONAI_CALL_AUTH\u003c/code\u003e is not set to \u003ccode\u003edisabled\u003c/code\u003e unless absolutely necessary and appropriate compensating controls are in place.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026quot;Detects CVE-2026-61435 Exploitation - PraisonAI Authentication Bypass\u0026quot; to your SIEM and investigate any alerts. This rule specifically targets the \u003ccode\u003eHost\u003c/code\u003e header spoofing behavior.\u003c/li\u003e\n\u003cli\u003eMonitor \u003ccode\u003ewebserver\u003c/code\u003e logs for HTTP requests to \u003ccode\u003e/api/v1/agents\u003c/code\u003e or \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e endpoints that include a \u003ccode\u003eHost: 127.0.0.1\u003c/code\u003e header from external IP addresses.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T12:30:37Z","date_published":"2026-07-15T12:30:37Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61435-praisonai/","summary":"PraisonAI versions prior to 4.6.78 contain an authentication bypass vulnerability in the Call API agent invocation endpoints when PRAISONAI_CALL_AUTH=disabled is configured, allowing an unauthenticated attacker to remotely list and invoke registered agents by sending a spoofed 'Host: 127.0.0.1' HTTP header.","title":"Authentication Bypass in PraisonAI Call API via Host Header Spoofing (CVE-2026-61435)","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61435-praisonai/"}],"language":"en","title":"CraftedSignal Threat Feed - Rce-Potential","version":"https://jsonfeed.org/version/1.1"}