VulnWatch VulnWatch
← Back to dashboard
High github · GHSA-6rmh-7xcm-cpxj

PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution

Published May 11, 2026 CVSS 7.3

Summary

PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token.

Details

The vulnerable server is the shipped src/praisonai/api_server.py entrypoint.

  • AUTH_ENABLED = False and AUTH_TOKEN = None are hard-coded at [src/praisonai/api_server.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:15).
  • check_auth() returns True whenever authentication is disabled, so both protected routes fail open by design at [src/praisonai/api_server.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:18).
  • POST /chat only checks that the request JSON contains a message key and then runs PraisonAI(agent_file="agents.yaml").run() at [src/praisonai/api_server.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:31).
  • GET /agents is guarded by the same no-op authentication check and returns agent metadata at [src/praisonai/api_server.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:55).
  • When launched directly, the same script binds to 0.0.0.0:8080 at src/praisonai/api_server.py.

The deploy subsystem keeps the same insecure authentication default:

  • APIConfig defaults auth_enabled to False in [src/praisonai/praisonai/deploy/models.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/deploy/models.py:23).
  • The generated sample API deployment YAML recommends host: 0.0.0.0 together with auth_enabled: false in [src/praisonai/praisonai/deploy/schema.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/deploy/schema.py:108).

For scope clarity: the newer serve agents command is safer by default, because it binds to 127.0.0.1 and supports --api-key in [src/praisonai/praisonai/cli/commands/serve.py](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/praisonai/cli/commands/serve.py:155). This report is about the shipped legacy API server and the generated/sample API deployment path above.

Version scope:

  • v2.5.6 already ships the same src/praisonai/api_server.py implementation.
  • The current PyPI release on May 1, 2026 is 4.6.33, and it still ships the same unauthenticated server logic.

PoC

The following route-level reproduction was verified locally and proves that the shipped api_server.py exposes /agents and /chat without authentication.

  1. From the repository root, create a throwaway environment with the server's direct Flask dependencies:
python3 -m venv /tmp/praisonai-ghsa-venv
/tmp/praisonai-ghsa-venv/bin/pip install flask flask-cors
  1. Execute the shipped src/praisonai/api_server.py under a minimal stub for praisonai.PraisonAI so only the server auth logic is exercised:
/tmp/praisonai-ghsa-venv/bin/python -
Prompt Injection Auth Bypass

Affected AI Products

prompt injection
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.