CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14566 vulnerabilities reference this CWE, most recent first.
GHSA-J444-7J4H-86HV
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in Stamped.io Stamped.io Product Reviews & UGC for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stamped.io Product Reviews & UGC for WooCommerce: from n/a through 2.3.2.
{
"affected": [],
"aliases": [
"CVE-2023-30479"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:27Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Stamped.io Stamped.io Product Reviews \u0026 UGC for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Stamped.io Product Reviews \u0026 UGC for WooCommerce: from n/a through 2.3.2.",
"id": "GHSA-j444-7j4h-86hv",
"modified": "2026-04-28T21:35:18Z",
"published": "2024-12-09T15:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30479"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/stampedio-product-reviews/vulnerability/wordpress-stamped-io-product-reviews-ugc-for-woocommerce-plugin-2-3-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J445-5264-J568
Vulnerability from github – Published: 2024-06-11 03:31 – Updated: 2024-06-11 03:31Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
{
"affected": [],
"aliases": [
"CVE-2024-34691"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-11T03:15:11Z",
"severity": "MODERATE"
},
"details": "Manage Incoming Payment Files (F1680) of SAP\nS/4HANA does not perform necessary authorization checks for an authenticated\nuser, resulting in escalation of privileges. As a result, it has high impact on\nintegrity and no impact on the confidentiality and availability of the system.",
"id": "GHSA-j445-5264-j568",
"modified": "2024-06-11T03:31:01Z",
"published": "2024-06-11T03:31:01Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34691"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3466175"
},
{
"type": "WEB",
"url": "https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J46C-HFXP-3H44
Vulnerability from github – Published: 2025-10-27 03:30 – Updated: 2026-01-20 15:31Missing Authorization vulnerability in wpseek Admin Management Xtended admin-management-xtended allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin Management Xtended : from n/a through <= 2.5.1.
{
"affected": [],
"aliases": [
"CVE-2025-62965"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-27T02:15:56Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in wpseek Admin Management Xtended admin-management-xtended allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Admin Management Xtended : from n/a through \u003c= 2.5.1.",
"id": "GHSA-j46c-hfxp-3h44",
"modified": "2026-01-20T15:31:37Z",
"published": "2025-10-27T03:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62965"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/admin-management-xtended/vulnerability/wordpress-admin-management-xtended-plugin-2-5-1-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/admin-management-xtended/vulnerability/wordpress-admin-management-xtended-plugin-2-5-1-broken-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/admin-management-xtended/vulnerability/wordpress-admin-management-xtended-plugin-2-5-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-J479-48QC-7RGJ
Vulnerability from github – Published: 2025-11-11 18:30 – Updated: 2025-11-11 18:30Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.
{
"affected": [],
"aliases": [
"CVE-2025-30398"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-11T18:15:35Z",
"severity": "HIGH"
},
"details": "Missing authorization in Nuance PowerScribe allows an unauthorized attacker to disclose information over a network.",
"id": "GHSA-j479-48qc-7rgj",
"modified": "2025-11-11T18:30:20Z",
"published": "2025-11-11T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30398"
},
{
"type": "WEB",
"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-30398"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J47R-FQH5-HQCC
Vulnerability from github – Published: 2026-05-06 21:31 – Updated: 2026-05-06 21:31OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.
{
"affected": [],
"aliases": [
"CVE-2026-43577"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-06T20:16:33Z",
"severity": "HIGH"
},
"details": "OpenClaw before 2026.4.9 contains a file read vulnerability allowing attackers to bypass navigation guards through browser act/evaluate interactions. Attackers can pivot into the local CDP origin and create or read disallowed file:// pages despite direct navigation policy restrictions.",
"id": "GHSA-j47r-fqh5-hqcc",
"modified": "2026-05-06T21:31:42Z",
"published": "2026-05-06T21:31:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-qmwg-qprg-3j38"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-43577"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/5f5b3d733bdd791cb457f838514179e1288b10b3"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-file-read-via-browser-interaction-routes"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J4C3-W229-4JFW
Vulnerability from github – Published: 2025-08-14 21:31 – Updated: 2026-04-01 18:35Missing Authorization vulnerability in codeablepress CodeablePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CodeablePress: from n/a through 1.0.0.
{
"affected": [],
"aliases": [
"CVE-2025-53221"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-08-14T19:15:34Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in codeablepress CodeablePress allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CodeablePress: from n/a through 1.0.0.",
"id": "GHSA-j4c3-w229-4jfw",
"modified": "2026-04-01T18:35:51Z",
"published": "2025-08-14T21:31:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53221"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/codeablepress-simple-frontend-profile-picture-upload/vulnerability/wordpress-codeablepress-plugin-plugin-1-0-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-J4F3-55X4-R6Q2
Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26Summary
The published npm package praisonai exports a TypeScript MCPServer that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with:
await server.start({ port: 3000 });
The HTTP transport has no authentication or authorization path. MCPServerConfig does not expose an auth/security setting, startHttp() ignores the Authorization header, and every POST request is parsed and forwarded directly to handleRequest(). That request handler dispatches sensitive MCP methods such as tools/call, resources/read, and prompts/get.
The implementation also calls this.httpServer.listen(port) without a host argument. In Node.js this binds to the unspecified address; the local PoV observed { address: "::", family: "IPv6" }, making the service reachable on all interfaces on systems where the port is exposed.
This lets any network client that can reach the HTTP port list tools and invoke registered server-side tools without credentials. Supplying Authorization: Bearer invalid makes no difference.
Technical Details
MCPServerConfig exposes server metadata, tools/resources/prompts, stdio, port, and logging. It does not expose an auth token, authorization policy, MCPSecurity instance, authorization callback, or loopback-only option:
src/praisonai-ts/src/mcp/server.ts
57: export interface MCPServerConfig {
63: tools?: MCPServerTool[];
65: resources?: MCPResource[];
67: prompts?: MCPPrompt[];
69: stdio?: boolean;
73: port?: number | null;
75: logging?: boolean;
handleRequest() dispatches sensitive MCP methods directly:
src/praisonai-ts/src/mcp/server.ts
203: async handleRequest(request: MCPRequest): Promise<MCPResponse> {
219: case 'tools/call':
220: result = await this.handleToolCall(params);
225: case 'resources/read':
226: result = await this.handleResourceRead(params);
231: case 'prompts/get':
232: result = await this.handlePromptGet(params);
The tool dispatcher invokes the registered handler:
src/praisonai-ts/src/mcp/server.ts
285: private async handleToolCall(params?: any): Promise<any> {
288: const tool = this.tools.get(name);
298: const result = await tool.handler(args ?? {});
The HTTP server parses every POST body and forwards it to handleRequest() with no authentication check:
src/praisonai-ts/src/mcp/server.ts
403: async startHttp(port: number): Promise<void> {
409: this.httpServer = http.createServer(async (req, res) => {
416: const response = await this.handleRequest(request);
434: this.httpServer.listen(port, () => {
This is a guard-coverage gap because the same TypeScript package already ships a dedicated MCP security manager:
src/praisonai-ts/src/mcp/security.ts
2: * MCP Security - Authentication, authorization, and rate limiting
79: export class MCPSecurity {
132: async check(request: { path?: string; method?: string; headers?: ... })
167: const auth = headers['authorization'] ?? headers['Authorization'];
239: case 'authenticate':
303: export function createApiKeyPolicy(...)
MCPServer never references that security manager in its HTTP request path.
Why This Is Not Intended Behavior
PraisonAI's MCP documentation says MCP servers allow AI models to use tools and communicate with external systems. The same page's security considerations say to use API keys in production, implement rate limiting, validate incoming requests, use HTTPS, and limit custom tool permissions.
PraisonAI's security page also documents prior breaking hardening where API servers were changed to require authentication by default and bind to 127.0.0.1 instead of 0.0.0.0. It separately lists MCP tools/call issues as security vulnerabilities.
The npm TypeScript MCPServer does the opposite:
start({ port })binds to the unspecified address;MCPServerConfighas no auth/security field;startHttp()does not inspectAuthorization;tools/list,tools/call,resources/read, andprompts/getall dispatch without authentication; andMCPSecurityexists but is not wired into the HTTP server.
This is not merely a deployment hardening suggestion. The package exposes an HTTP MCP server API and a separate security manager, but the server's own HTTP transport provides no way to enforce the documented API-key requirement.
PoV
The PoV installs the published npm package in a temporary project, starts the exported MCPServer on a local ephemeral port, and sends loopback JSON-RPC requests. It does not call any LLM provider or external service after package installation.
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
Observed result:
{
"package": "praisonai",
"version": "1.7.1",
"mcpServerExported": true,
"bindAddress": {
"address": "::",
"family": "IPv6"
},
"initialize": {
"status": 200
},
"list": {
"status": 200,
"json": {
"result": {
"tools": [
{
"name": "admin_reset_marker",
"description": "privileged marker tool"
}
]
}
}
},
"callNoAuth": {
"status": 200,
"json": {
"result": {
"content": [
{
"text": "invoked:NO_AUTH_MARKER"
}
]
}
}
},
"callBadAuth": {
"status": 200,
"json": {
"result": {
"content": [
{
"text": "invoked:BAD_AUTH_MARKER"
}
]
}
}
},
"calls": [
"NO_AUTH_MARKER",
"BAD_AUTH_MARKER"
],
"patchedControl": {
"noAuthStatus": 401,
"withAuthStatus": 200,
"patchedCalls": [
"called"
]
}
}
Interpretation:
- unauthenticated
initializereturns200; - unauthenticated
tools/listreturns the registered tool; - unauthenticated
tools/callinvokes the registered tool; - invalid
Authorization: Bearer invalidis ignored and also invokes the tool; - the server binds to the unspecified IPv6 address; and
- a minimal local wrapper that enforces a bearer token blocks the same no-auth call with
401, demonstrating that the PoV is exercising the missing authentication boundary.
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
Any client that can reach the npm TypeScript MCPServer HTTP port can list and invoke all registered MCP tools without credentials.
Real impact depends on which tools, resources, and prompts the application registers. MCP tools commonly wrap filesystem operations, API clients, database queries, agent actions, deployment operations, email/Slack actions, browser automation, and code execution. Because those handlers run with the server process privileges and server-side credentials, an unauthenticated caller can drive the same actions.
resources/read and prompts/get are also unauthenticated and may disclose application data or prompt material registered by the server.
Severity
Suggested severity: Critical.
Rationale:
AV: exploitation is a direct HTTP JSON-RPC request.AC: no race, user gesture, or special state is required.PR: no credentials are required; invalid credentials are ignored.UI: no user interaction is required after the server is running.S: impact is within the authority of the MCP server process and its registered tools.C: resources, prompts, and tool-returned data may expose sensitive data.I: unauthenticated callers can drive server-side tools.A: unauthenticated callers can invoke destructive or resource-consuming tools if registered.
Suggested Fix
Recommended minimum fix:
- Add
security,auth,authRequired,apiKeys, orauthorize(req)toMCPServerConfig. - Fail closed for HTTP transport when auth is not configured, unless the caller explicitly opts into unauthenticated loopback-only development mode.
- Bind HTTP transport to
127.0.0.1by default, or require an explicit host when binding to all interfaces. - Call
MCPSecurity.check(...)or equivalent middleware before every non-health POST request reacheshandleRequest(). - Return
401for missing or invalid credentials before dispatchinginitialize,tools/list,tools/call,resources/read, orprompts/get. - Add Origin/Host protections for loopback HTTP transports to reduce DNS rebinding exposure.
- Add regression tests proving:
- no-auth
tools/listreturns401; - no-auth
tools/callreturns401and does not invoke the handler; - invalid bearer token returns
401; - valid bearer token invokes the handler;
- default
start({ port })does not bind to all interfaces without an explicit opt-in.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Ecosystem:
npm - Package:
praisonai - Component:
src/praisonai-ts/src/mcp/server.ts - Related unused security component:
src/praisonai-ts/src/mcp/security.ts - Current npm version checked:
1.7.1 - Refreshed
origin/mainchecked:1ad58ca02975ff1398efeda694ea2ab78f20cf3e
Confirmed affected range:
>= 1.5.0, <= 1.7.1
Boundary:
1.4.0 does not export MCPServer and does not ship dist/mcp/server.js.
No fixed npm version is known at the time of this report.
Version Sweep
The included sweep installs selected npm versions and checks the HTTP MCPServer path:
node poc/version_sweep_poc.js
Observed result:
1.4.0: mcpServerExported=false, hasDistMcpServer=false
1.5.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::
1.5.4: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::
1.6.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::
1.7.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::
1.7.1: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::
Advisory History
Known related public advisories:
GHSA-9mqq-jqxf-grvw/CVE-2026-44336:pip:praisonaiMCPtools/callpath traversal to RCE in Pythonpraisonai mcp serve, affected<= 4.6.33.CVE-2026-47394:pip:praisonaiincomplete MCP path traversal fix affecting Python workflow/deploy handlers.- poc: deprecated Python MCP SSE Host/Origin/session issue.
- poc: npm TypeScript AgentOS missing authentication.
This report is distinct because it targets:
- ecosystem:
npm; - package:
praisonai; - component:
src/praisonai-ts/src/mcp/server.ts; - root cause: TypeScript
MCPServerHTTP transport missing auth and not usingMCPSecurity; - primitive: unauthenticated and invalid-auth JSON-RPC
tools/callinvokes arbitrary registered TypeScript MCP tools; and - affected range:
>= 1.5.0, <= 1.7.1.
The Python MCP advisories cover path traversal in specific Python MCP tool handlers. They do not cover the npm TypeScript MCPServer transport or its unwired security manager.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-306",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:26:48Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "## Summary\n\nThe published npm package `praisonai` exports a TypeScript `MCPServer` that can expose tools, resources, and prompts over an HTTP JSON-RPC transport with:\n\n```ts\nawait server.start({ port: 3000 });\n```\n\nThe HTTP transport has no authentication or authorization path. `MCPServerConfig` does not expose an auth/security setting, `startHttp()` ignores the `Authorization` header, and every POST request is parsed and forwarded directly to `handleRequest()`. That request handler dispatches sensitive MCP methods such as `tools/call`, `resources/read`, and `prompts/get`.\n\nThe implementation also calls `this.httpServer.listen(port)` without a host argument. In Node.js this binds to the unspecified address; the local PoV observed `{ address: \"::\", family: \"IPv6\" }`, making the service reachable on all interfaces on systems where the port is exposed.\n\nThis lets any network client that can reach the HTTP port list tools and invoke registered server-side tools without credentials. Supplying `Authorization: Bearer invalid` makes no difference.\n\n## Technical Details\n\n`MCPServerConfig` exposes server metadata, tools/resources/prompts, stdio, port, and logging. It does not expose an auth token, authorization policy, `MCPSecurity` instance, authorization callback, or loopback-only option:\n\n```text\nsrc/praisonai-ts/src/mcp/server.ts\n 57: export interface MCPServerConfig {\n 63: tools?: MCPServerTool[];\n 65: resources?: MCPResource[];\n 67: prompts?: MCPPrompt[];\n 69: stdio?: boolean;\n 73: port?: number | null;\n 75: logging?: boolean;\n```\n\n`handleRequest()` dispatches sensitive MCP methods directly:\n\n```text\nsrc/praisonai-ts/src/mcp/server.ts\n 203: async handleRequest(request: MCPRequest): Promise\u003cMCPResponse\u003e {\n 219: case \u0027tools/call\u0027:\n 220: result = await this.handleToolCall(params);\n 225: case \u0027resources/read\u0027:\n 226: result = await this.handleResourceRead(params);\n 231: case \u0027prompts/get\u0027:\n 232: result = await this.handlePromptGet(params);\n```\n\nThe tool dispatcher invokes the registered handler:\n\n```text\nsrc/praisonai-ts/src/mcp/server.ts\n 285: private async handleToolCall(params?: any): Promise\u003cany\u003e {\n 288: const tool = this.tools.get(name);\n 298: const result = await tool.handler(args ?? {});\n```\n\nThe HTTP server parses every POST body and forwards it to `handleRequest()` with no authentication check:\n\n```text\nsrc/praisonai-ts/src/mcp/server.ts\n 403: async startHttp(port: number): Promise\u003cvoid\u003e {\n 409: this.httpServer = http.createServer(async (req, res) =\u003e {\n 416: const response = await this.handleRequest(request);\n 434: this.httpServer.listen(port, () =\u003e {\n```\n\nThis is a guard-coverage gap because the same TypeScript package already ships a dedicated MCP security manager:\n\n```text\nsrc/praisonai-ts/src/mcp/security.ts\n 2: * MCP Security - Authentication, authorization, and rate limiting\n 79: export class MCPSecurity {\n 132: async check(request: { path?: string; method?: string; headers?: ... })\n 167: const auth = headers[\u0027authorization\u0027] ?? headers[\u0027Authorization\u0027];\n 239: case \u0027authenticate\u0027:\n 303: export function createApiKeyPolicy(...)\n```\n\n`MCPServer` never references that security manager in its HTTP request path.\n\n### Why This Is Not Intended Behavior\n\nPraisonAI\u0027s MCP documentation says MCP servers allow AI models to use tools and communicate with external systems. The same page\u0027s security considerations say to use API keys in production, implement rate limiting, validate incoming requests, use HTTPS, and limit custom tool permissions.\n\nPraisonAI\u0027s security page also documents prior breaking hardening where API servers were changed to require authentication by default and bind to `127.0.0.1` instead of `0.0.0.0`. It separately lists MCP `tools/call` issues as security vulnerabilities.\n\nThe npm TypeScript `MCPServer` does the opposite:\n\n- `start({ port })` binds to the unspecified address;\n- `MCPServerConfig` has no auth/security field;\n- `startHttp()` does not inspect `Authorization`;\n- `tools/list`, `tools/call`, `resources/read`, and `prompts/get` all dispatch without authentication; and\n- `MCPSecurity` exists but is not wired into the HTTP server.\n\nThis is not merely a deployment hardening suggestion. The package exposes an HTTP MCP server API and a separate security manager, but the server\u0027s own HTTP transport provides no way to enforce the documented API-key requirement.\n\n## PoV\n\nThe PoV installs the published npm package in a temporary project, starts the exported `MCPServer` on a local ephemeral port, and sends loopback JSON-RPC requests. It does not call any LLM provider or external service after package installation.\n\nRun from a local reproduction checkout:\n\n```fish\nnode poc/pov_poc.js 1.7.1\n```\n\nObserved result:\n\n```json\n{\n \"package\": \"praisonai\",\n \"version\": \"1.7.1\",\n \"mcpServerExported\": true,\n \"bindAddress\": {\n \"address\": \"::\",\n \"family\": \"IPv6\"\n },\n \"initialize\": {\n \"status\": 200\n },\n \"list\": {\n \"status\": 200,\n \"json\": {\n \"result\": {\n \"tools\": [\n {\n \"name\": \"admin_reset_marker\",\n \"description\": \"privileged marker tool\"\n }\n ]\n }\n }\n },\n \"callNoAuth\": {\n \"status\": 200,\n \"json\": {\n \"result\": {\n \"content\": [\n {\n \"text\": \"invoked:NO_AUTH_MARKER\"\n }\n ]\n }\n }\n },\n \"callBadAuth\": {\n \"status\": 200,\n \"json\": {\n \"result\": {\n \"content\": [\n {\n \"text\": \"invoked:BAD_AUTH_MARKER\"\n }\n ]\n }\n }\n },\n \"calls\": [\n \"NO_AUTH_MARKER\",\n \"BAD_AUTH_MARKER\"\n ],\n \"patchedControl\": {\n \"noAuthStatus\": 401,\n \"withAuthStatus\": 200,\n \"patchedCalls\": [\n \"called\"\n ]\n }\n}\n```\n\nInterpretation:\n\n- unauthenticated `initialize` returns `200`;\n- unauthenticated `tools/list` returns the registered tool;\n- unauthenticated `tools/call` invokes the registered tool;\n- invalid `Authorization: Bearer invalid` is ignored and also invokes the tool;\n- the server binds to the unspecified IPv6 address; and\n- a minimal local wrapper that enforces a bearer token blocks the same no-auth call with `401`, demonstrating that the PoV is exercising the missing authentication boundary.\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nAny client that can reach the npm TypeScript `MCPServer` HTTP port can list and invoke all registered MCP tools without credentials.\n\nReal impact depends on which tools, resources, and prompts the application registers. MCP tools commonly wrap filesystem operations, API clients, database queries, agent actions, deployment operations, email/Slack actions, browser automation, and code execution. Because those handlers run with the server process privileges and server-side credentials, an unauthenticated caller can drive the same actions.\n\n`resources/read` and `prompts/get` are also unauthenticated and may disclose application data or prompt material registered by the server.\n\n### Severity\n\nSuggested severity: Critical.\n\nRationale:\n\n- `AV`: exploitation is a direct HTTP JSON-RPC request.\n- `AC`: no race, user gesture, or special state is required.\n- `PR`: no credentials are required; invalid credentials are ignored.\n- `UI`: no user interaction is required after the server is running.\n- `S`: impact is within the authority of the MCP server process and its registered tools.\n- `C`: resources, prompts, and tool-returned data may expose sensitive data.\n- `I`: unauthenticated callers can drive server-side tools.\n- `A`: unauthenticated callers can invoke destructive or resource-consuming tools if registered.\n\n## Suggested Fix\n\nRecommended minimum fix:\n\n1. Add `security`, `auth`, `authRequired`, `apiKeys`, or `authorize(req)` to `MCPServerConfig`.\n2. Fail closed for HTTP transport when auth is not configured, unless the caller explicitly opts into unauthenticated loopback-only development mode.\n3. Bind HTTP transport to `127.0.0.1` by default, or require an explicit host when binding to all interfaces.\n4. Call `MCPSecurity.check(...)` or equivalent middleware before every non-health POST request reaches `handleRequest()`.\n5. Return `401` for missing or invalid credentials before dispatching `initialize`, `tools/list`, `tools/call`, `resources/read`, or `prompts/get`.\n6. Add Origin/Host protections for loopback HTTP transports to reduce DNS rebinding exposure.\n7. Add regression tests proving:\n - no-auth `tools/list` returns `401`;\n - no-auth `tools/call` returns `401` and does not invoke the handler;\n - invalid bearer token returns `401`;\n - valid bearer token invokes the handler;\n - default `start({ port })` does not bind to all interfaces without an explicit opt-in.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Ecosystem: `npm`\n- Package: `praisonai`\n- Component: `src/praisonai-ts/src/mcp/server.ts`\n- Related unused security component: `src/praisonai-ts/src/mcp/security.ts`\n- Current npm version checked: `1.7.1`\n- Refreshed `origin/main` checked: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nConfirmed affected range:\n\n```text\n\u003e= 1.5.0, \u003c= 1.7.1\n```\n\nBoundary:\n\n```text\n1.4.0 does not export MCPServer and does not ship dist/mcp/server.js.\n```\n\nNo fixed npm version is known at the time of this report.\n\n### Version Sweep\n\nThe included sweep installs selected npm versions and checks the HTTP `MCPServer` path:\n\n```fish\nnode poc/version_sweep_poc.js\n```\n\nObserved result:\n\n```text\n1.4.0: mcpServerExported=false, hasDistMcpServer=false\n1.5.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::\n1.5.4: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::\n1.6.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::\n1.7.0: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::\n1.7.1: mcpServerExported=true, hasDistMcpServer=true, noAuthToolCallInvoked=true, bindAddress=::\n```\n\n## Advisory History\n\nKnown related public advisories:\n\n- `GHSA-9mqq-jqxf-grvw` / `CVE-2026-44336`: `pip:praisonai` MCP `tools/call` path traversal to RCE in Python `praisonai mcp serve`, affected `\u003c= 4.6.33`.\n- `CVE-2026-47394`: `pip:praisonai` incomplete MCP path traversal fix affecting Python workflow/deploy handlers.\n- poc: deprecated Python MCP SSE Host/Origin/session issue.\n- poc: npm TypeScript AgentOS missing authentication.\n\nThis report is distinct because it targets:\n\n- ecosystem: `npm`;\n- package: `praisonai`;\n- component: `src/praisonai-ts/src/mcp/server.ts`;\n- root cause: TypeScript `MCPServer` HTTP transport missing auth and not using `MCPSecurity`;\n- primitive: unauthenticated and invalid-auth JSON-RPC `tools/call` invokes arbitrary registered TypeScript MCP tools; and\n- affected range: `\u003e= 1.5.0, \u003c= 1.7.1`.\n\nThe Python MCP advisories cover path traversal in specific Python MCP tool handlers. They do not cover the npm TypeScript `MCPServer` transport or its unwired security manager.",
"id": "GHSA-j4f3-55x4-r6q2",
"modified": "2026-06-18T14:26:48Z",
"published": "2026-06-18T14:26:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-j4f3-55x4-r6q2"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "npm PraisonAI MCPServer exposes unauthenticated HTTP tools/call"
}
GHSA-J4G8-P5XF-CX8J
Vulnerability from github – Published: 2026-02-20 18:31 – Updated: 2026-02-25 00:31Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.
{
"affected": [],
"aliases": [
"CVE-2025-67970"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-20T16:22:03Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through \u003c= 1.0.",
"id": "GHSA-j4g8-p5xf-cx8j",
"modified": "2026-02-25T00:31:21Z",
"published": "2026-02-20T18:31:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67970"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/schedula-smart-appointment-booking/vulnerability/wordpress-schedula-plugin-1-0-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4GC-V87P-MGG2
Vulnerability from github – Published: 2026-04-29 12:33 – Updated: 2026-04-29 12:33Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through <= 2.19.22.
{
"affected": [],
"aliases": [
"CVE-2026-42648"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T12:16:20Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Spectra: from n/a through \u003c= 2.19.22.",
"id": "GHSA-j4gc-v87p-mgg2",
"modified": "2026-04-29T12:33:08Z",
"published": "2026-04-29T12:33:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42648"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-plugin-2-19-22-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4GW-33J8-8F5J
Vulnerability from github – Published: 2025-12-10 21:31 – Updated: 2025-12-30 21:30UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the 'ft[grp]' parameter. Attackers can send a GET request to /html/user with 'ft[grp]' set to integer value '3' to gain super admin rights without authentication.
{
"affected": [],
"aliases": [
"CVE-2020-36902"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T21:16:03Z",
"severity": "CRITICAL"
},
"details": "UBICOD Medivision Digital Signage 1.5.1 contains an authorization bypass vulnerability that allows normal users to escalate privileges by manipulating the \u0027ft[grp]\u0027 parameter. Attackers can send a GET request to /html/user with \u0027ft[grp]\u0027 set to integer value \u00273\u0027 to gain super admin rights without authentication.",
"id": "GHSA-j4gw-33j8-8f5j",
"modified": "2025-12-30T21:30:25Z",
"published": "2025-12-10T21:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-36902"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/48684"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/ubicod-medivision-digital-signage-authorization-bypass-via-user-privileges"
},
{
"type": "WEB",
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5575.php"
},
{
"type": "WEB",
"url": "http://www.medivision.co.kr"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.