<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Rce-Potential - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/rce-potential/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 12:30:37 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/rce-potential/feed.xml" rel="self" type="application/rss+xml"/><item><title>Authentication Bypass in PraisonAI Call API via Host Header Spoofing (CVE-2026-61435)</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61435-praisonai/</link><pubDate>Wed, 15 Jul 2026 12:30:37 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61435-praisonai/</guid><description>PraisonAI versions prior to 4.6.78 contain an authentication bypass vulnerability in the Call API agent invocation endpoints when PRAISONAI_CALL_AUTH=disabled is configured, allowing an unauthenticated attacker to remotely list and invoke registered agents by sending a spoofed 'Host: 127.0.0.1' HTTP header.</description><content:encoded><![CDATA[<p>CVE-2026-61435 describes a high-severity authentication bypass vulnerability affecting PraisonAI software versions prior to 4.6.78. This flaw specifically impacts the Call API agent invocation endpoints, located in <code>src/praisonai/praisonai/api/agent_invoke.py</code>, when the <code>PRAISONAI_CALL_AUTH=disabled</code> configuration option is enabled. The vulnerability stems from an insecure method of deriving the bind host for a localhost-only safeguard. Instead of using a trusted source, the system relies on the <code>request.url.hostname</code> value, which is populated directly from the client-controlled HTTP <code>Host</code> header. A remote, unauthenticated attacker can exploit this by crafting a request with a spoofed <code>Host: 127.0.0.1</code> header. This malicious request bypasses the intended localhost-only restriction, enabling the attacker to list all registered agents and invoke them without any authentication, potentially leading to unauthorized access, command execution, or data manipulation depending on the capabilities of the agents.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a PraisonAI instance exposed to the network, likely through reconnaissance or internet-wide scanning.</li>
<li>The attacker determines that the target PraisonAI instance is configured with <code>PRAISONAI_CALL_AUTH=disabled</code>.</li>
<li>The attacker crafts an HTTP GET request to the <code>/api/v1/agents</code> endpoint, including a spoofed <code>Host: 127.0.0.1</code> header.</li>
<li>The PraisonAI server processes the request, mistakenly identifying it as a local request due to the spoofed <code>Host</code> header, and bypasses the authentication check.</li>
<li>The server responds to the attacker with a list of all registered agents on the system, including their <code>agent_id</code> values.</li>
<li>Using the obtained <code>agent_id</code>, the attacker crafts an HTTP POST request to the <code>/api/v1/agents/{agent_id}/invoke</code> endpoint, again including the spoofed <code>Host: 127.0.0.1</code> header.</li>
<li>The PraisonAI server invokes the specified agent without requiring authentication, allowing the attacker to execute arbitrary actions defined by the agent's functionality.</li>
<li>This results in unauthorized control over PraisonAI agents, leading to potential data exposure, system modification, or further compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61435 grants an unauthenticated, remote attacker full unauthorized access to list and invoke any registered PraisonAI agent. The impact can range from information disclosure, such as gaining insights into the agents' configurations and capabilities, to significant system compromise. Depending on the functions and permissions of the invoked agents, an attacker could potentially execute arbitrary code, exfiltrate sensitive data, manipulate internal processes, or disrupt services. The broad nature of &quot;agent invocation&quot; implies a high degree of control over the PraisonAI environment and any systems or data the agents can access.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade PraisonAI to version 4.6.78 or later to patch CVE-2026-61435.</li>
<li>Review your PraisonAI configuration and ensure <code>PRAISONAI_CALL_AUTH</code> is not set to <code>disabled</code> unless absolutely necessary and appropriate compensating controls are in place.</li>
<li>Deploy the Sigma rule &quot;Detects CVE-2026-61435 Exploitation - PraisonAI Authentication Bypass&quot; to your SIEM and investigate any alerts. This rule specifically targets the <code>Host</code> header spoofing behavior.</li>
<li>Monitor <code>webserver</code> logs for HTTP requests to <code>/api/v1/agents</code> or <code>/api/v1/agents/{agent_id}/invoke</code> endpoints that include a <code>Host: 127.0.0.1</code> header from external IP addresses.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authentication-bypass</category><category>vulnerability</category><category>web-application</category><category>rce-potential</category></item></channel></rss>