GHSA-8CCJ-P46R-JWQQ
Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27
VLAI
Summary
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
Details
Summary
Setting PRAISONAI_CALL_AUTH=disabled completely disables all authentication on the /api/v1/agents/{id}/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.
Details
# src/praisonai/praisonai/api/agent_invoke.py:32
_CALL_AUTH_DISABLED = os.getenv('PRAISONAI_CALL_AUTH', '').lower() == 'disabled'
async def verify_token(...) -> None:
if _CALL_AUTH_DISABLED:
return # all authentication skipped unconditionally
The application's own error message advertises the bypass:
"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication."
This causes the setting to appear in Docker/Compose configurations as a convenience option.
Proof of Concept
import os
os.environ["PRAISONAI_CALL_AUTH"] = "disabled"
# verify_token() now returns immediately for any request
# POST /api/v1/agents/any-agent/invoke → 200 OK (no token needed)
Common vulnerable deployment:
# docker-compose.yml
environment:
- PRAISONAI_CALL_AUTH=disabled # auth completely disabled
Impact
Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.
Severity
8.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.61"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:27:15Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nSetting `PRAISONAI_CALL_AUTH=disabled` completely disables all authentication on the `/api/v1/agents/{id}/invoke` endpoint. This bypass is advertised in the application\u0027s own error messages, making it likely to appear in production Docker and Compose configurations.\n\n### Details\n\n```python\n# src/praisonai/praisonai/api/agent_invoke.py:32\n_CALL_AUTH_DISABLED = os.getenv(\u0027PRAISONAI_CALL_AUTH\u0027, \u0027\u0027).lower() == \u0027disabled\u0027\n\nasync def verify_token(...) -\u003e None:\n if _CALL_AUTH_DISABLED:\n return # all authentication skipped unconditionally\n```\n\nThe application\u0027s own error message advertises the bypass:\n\u003e \"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication.\"\n\nThis causes the setting to appear in Docker/Compose configurations as a convenience option.\n\n### Proof of Concept\n\n```python\nimport os\nos.environ[\"PRAISONAI_CALL_AUTH\"] = \"disabled\"\n# verify_token() now returns immediately for any request\n# POST /api/v1/agents/any-agent/invoke \u2192 200 OK (no token needed)\n```\n\nCommon vulnerable deployment:\n\n```yaml\n# docker-compose.yml\nenvironment:\n - PRAISONAI_CALL_AUTH=disabled # auth completely disabled\n```\n\n### Impact\nFull unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent\u0027s configured tools.",
"id": "GHSA-8ccj-p46r-jwqq",
"modified": "2026-06-18T14:27:15Z",
"published": "2026-06-18T14:27:15Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8ccj-p46r-jwqq"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…