GHSA-8CCJ-P46R-JWQQ

Vulnerability from github – Published: 2026-06-18 14:27 – Updated: 2026-06-18 14:27
VLAI
Summary
PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication
Details

Summary

Setting PRAISONAI_CALL_AUTH=disabled completely disables all authentication on the /api/v1/agents/{id}/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.

Details

# src/praisonai/praisonai/api/agent_invoke.py:32
_CALL_AUTH_DISABLED = os.getenv('PRAISONAI_CALL_AUTH', '').lower() == 'disabled'

async def verify_token(...) -> None:
    if _CALL_AUTH_DISABLED:
        return  # all authentication skipped unconditionally

The application's own error message advertises the bypass:

"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication."

This causes the setting to appear in Docker/Compose configurations as a convenience option.

Proof of Concept

import os
os.environ["PRAISONAI_CALL_AUTH"] = "disabled"
# verify_token() now returns immediately for any request
# POST /api/v1/agents/any-agent/invoke → 200 OK (no token needed)

Common vulnerable deployment:

# docker-compose.yml
environment:
  - PRAISONAI_CALL_AUTH=disabled  # auth completely disabled

Impact

Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.61"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T14:27:15Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nSetting `PRAISONAI_CALL_AUTH=disabled` completely disables all authentication on the `/api/v1/agents/{id}/invoke` endpoint. This bypass is advertised in the application\u0027s own error messages, making it likely to appear in production Docker and Compose configurations.\n\n### Details\n\n```python\n# src/praisonai/praisonai/api/agent_invoke.py:32\n_CALL_AUTH_DISABLED = os.getenv(\u0027PRAISONAI_CALL_AUTH\u0027, \u0027\u0027).lower() == \u0027disabled\u0027\n\nasync def verify_token(...) -\u003e None:\n    if _CALL_AUTH_DISABLED:\n        return  # all authentication skipped unconditionally\n```\n\nThe application\u0027s own error message advertises the bypass:\n\u003e \"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication.\"\n\nThis causes the setting to appear in Docker/Compose configurations as a convenience option.\n\n### Proof of Concept\n\n```python\nimport os\nos.environ[\"PRAISONAI_CALL_AUTH\"] = \"disabled\"\n# verify_token() now returns immediately for any request\n# POST /api/v1/agents/any-agent/invoke \u2192 200 OK (no token needed)\n```\n\nCommon vulnerable deployment:\n\n```yaml\n# docker-compose.yml\nenvironment:\n  - PRAISONAI_CALL_AUTH=disabled  # auth completely disabled\n```\n\n### Impact\nFull unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent\u0027s configured tools.",
  "id": "GHSA-8ccj-p46r-jwqq",
  "modified": "2026-06-18T14:27:15Z",
  "published": "2026-06-18T14:27:15Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8ccj-p46r-jwqq"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…