PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools

Summary

praisonaiagents.mcp.ToolsMCPServer.run_sse() builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not validate Origin, does not validate Host, and does not require any authentication.

This is reachable through supported PraisonAI code paths that wrap configured MCP server tools and re-expose them over legacy SSE:

• praisonai mcp run --transport sse
• praisonai serve mcp --name --transport sse
• direct use of ToolsMCPServer(...).run_sse(...) or launch_tools_mcp_server(..., transport="sse")

A malicious website can use DNS rebinding against a local or internal PraisonAI SSE MCP server and send requests with attacker-controlled Host and Origin headers. The local PoV binds only to 127.0.0.1, sends an attacker Host and Origin, lists the registered tool, and invokes it successfully.

The same attacker Origin is rejected by PraisonAI's current Streamable HTTP transport with HTTP 403. The vulnerability is therefore a sibling transport guard gap in the legacy SSE wrapper, not intended behavior.

Affected product

• Repository: MervinPraison/PraisonAI
• Packages:
  • praisonaiagents
  • praisonai
• Primary component: src/praisonai-agents/praisonaiagents/mcp/mcp_server.py
• CLI wrappers:
  • src/praisonai/praisonai/cli/commands/mcp.py
  • src/praisonai/praisonai/cli/commands/serve.py
• Latest verified release/current head:
  • praisonaiagents 1.6.58
  • PraisonAI 4.6.58
  • repo head 1ad58ca02975ff1398efeda694ea2ab78f20cf3e

Suggested affected ranges:

• `praisonaiagents >= 0.6.0, = 3.10.0,