VulnWatch VulnWatch
← Back to dashboard
Critical github · GHSA-p75f-6fp4-p57w

PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai

Published Jun 18, 2026 CVSS 9.8

Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands

Summary

PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send POST /api/mcp/connect with a command and args field. The endpoint passes those values into the MCP stdio client, which starts the attacker-selected local process as the PraisonAI UI service user.

The issue is reachable through PraisonAI's hosted UI integration (praisonai ui, praisonai ui agents, praisonai claw, and any app using praisonai.integration.host_app.create_host_app() / build_host_app()). praisonai ui and related Typer UI commands bind to 0.0.0.0 by default.

Affected Versions

Confirmed affected:

  • praisonai v4.6.48
  • Commit tested: d5f1114aaf1a2e9f121a6e66b929149ca2201f1d
  • Tag tested: v4.6.48
  • Pinned UI dependency: aiui==0.3.121 from src/praisonai/uv.lock

Likely affected:

  • Any PraisonAI release that exposes aiui / praisonaiui create_app() through the PraisonAI UI host apps without authentication and includes the mcp dependency. I only confirmed the latest release during this audit.

Severity

Reasoning:

  • AV: the vulnerable endpoint is an HTTP API route.
  • AC: a single POST request is sufficient.
  • PR: default UI host apps do not require credentials unless opt-in auth is configured.
  • UI: no victim interaction is needed after the server is running.
  • S: code executes in the PraisonAI UI server process context.
  • C/I/A: arbitrary local command execution permits secret exfiltration, file tampering, and service disruption.

Root Cause

PraisonAI depends on MCP by default and exposes PraisonAIUI via optional UI extras:

  • src/praisonai/pyproject.toml:11 includes base dependencies.
  • src/praisonai/pyproject.toml:19 includes mcp>=1.20.0.
  • src/praisonai/pyproject.toml:25 defines the ui extra with aiui>=0.3.121,=0.3.121, praisonaiui.features.mcp.connect_mcp_server -> StdioMCPClient.
  • Not GHSA-pj2r-f9mw-vrcq / CVE-2026-40159. That advisory concerns sensitive environment variables inherited by untrusted MCP subprocesses. This finding is unauthenticated network-triggered local process execution.
  • Not GHSA-6rmh-7xcm-cpxj or GHSA-8444-4fhq-fxpq. Those concern unauthenticated legacy/generated agent servers. This is a distinct UI route and a distinct sink that starts arbitrary local processes.
  • Not GHSA-9cr9-25q5-8prj, GHSA-9mqq-jqxf-grvw, or other MCP server file-read/path-traversal advisories. This path is the UI MCP client connector, not PraisonAI's MCP server tool dispatcher.

Recommended Fix

  1. Remove arbitrary command/args from the remote HTTP API. MCP stdio servers should be configured only from trusted local configuration, not caller-supplied JSON.
  2. Require authentication and authorization on /api/mcp/connect, /api/mcp/disconnect/*, and /api/mcp/servers regardless of AUTH_ENFORCE.
  3. Change UI command defaults from 0.0.0.0 to 127.0.0.1, or require an explicit --unsafe-expose style flag when binding externally without auth.
  4. If remote MCP registration is a required feature, allow only URL-based transports with SSRF protections, or maintain an administrator-configured allowlist of commands.
  5. Add regression tests that unauthenticated requests to /api/mcp/connect cannot start a subprocess, including when AUTH_ENFORCE is unset.
Remote Code Execution Auth Bypass SSRF Agentic / MCP

Affected AI Products

mcp server llm
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.