Skip to main content

PraisonAI CVE-2026-61427

| EUVDEUVD-2026-44638 MEDIUM
Improper Input Validation (CWE-20)
2026-07-15 VulnCheck GHSA-5866-9272-qcfv
6.9
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.6 MEDIUM

AC:H reflects that two non-default operator choices (no API key and public bind) must co-occur; impacts are Low across C/I/A given tool-scope dependency.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jul 15, 2026 - 13:03 EUVD
Analysis Generated
Jul 15, 2026 - 12:36 vuln.today

DescriptionCVE.org

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream' without an API key, an unauthenticated client (no Authorization header, and no Origin header, which is also permitted) can initialize a session, enumerate the available tools (tools/list), and invoke tools (tools/call). Additionally, the dispatcher forwards tool-call arguments to handlers without validating them against the advertised inputSchema. The server binds to 127.0.0.1 by default, so remote exploitation requires the operator to bind to a network-accessible address (e.g., --host 0.0.0.0).

AnalysisAI

PraisonAI's MCP HTTP-stream transport silently skips authentication when no API key is configured at startup, allowing unauthenticated clients to initialize sessions, enumerate tools via tools/list, and invoke arbitrary tools via tools/call. Affected versions are all releases before 4.6.78. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Operator starts MCP server without --api-key and --host 0.0.0.0
Delivery
Attacker reaches exposed MCP TCP port
Exploit
Send unauthenticated MCP initialize request
Install
Enumerate registered tools via tools/list
C2
Craft schema-violating tools/call payload
Execute
Invoke tool with arbitrary arguments
Impact
Achieve tool-defined read/write/action impact

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous non-default operator configurations: (1) the MCP server must be started without the --api-key argument (defaulting to None, which disables auth enforcement entirely), and (2) the server must be bound to a network-accessible interface by passing --host 0.0.0.0 or equivalent, overriding the default 127.0.0.1 bind. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) scores 6.9 and treats this as a straightforward unauthenticated network vulnerability, but that framing warrants scrutiny: the description explicitly states the server binds to 127.0.0.1 by default, meaning remote exploitation is gated on the operator consciously choosing --host 0.0.0.0 (or an equivalent public bind). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An operator deploys PraisonAI MCP in a cloud environment and starts the server with 'praisonai mcp serve --transport http-stream --host 0.0.0.0' without specifying --api-key (a plausible configuration for a shared development server or containerised deployment). An attacker who can reach the exposed port sends a bare MCP initialize request with no Authorization or Origin header, receives a valid session response, follows up with a tools/list call to enumerate all registered tools, and then issues tools/call requests with arbitrary - potentially schema-violating - arguments to invoke those tools, achieving read or write actions scoped to whatever capabilities the registered MCP tools expose.
Remediation Upgrade PraisonAI to version 4.6.78 or later, which is the vendor-released patch per the advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hc5v-gxvj-58wh. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-61447 CRITICAL
10.0 Jul 11

Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th

CVE-2026-61445 CRITICAL
9.4 Jul 11

Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let

CVE-2026-40157 CRITICAL
9.4 Apr 10

Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug

CVE-2026-61444 CRITICAL
9.4 Jul 10

Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api

CVE-2026-60090 CRITICAL
9.3 Jul 11

SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr

CVE-2026-40151 MEDIUM POC
5.3 Apr 09

PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet

CVE-2026-40154 CRITICAL
9.3 Apr 09

Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to

CVE-2026-40289 CRITICAL
9.1 Apr 14

Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140

CVE-2026-61426 HIGH
8.8 Jul 11

Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts

CVE-2026-61436 HIGH
8.8 Jul 15

Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece

CVE-2026-61435 HIGH
8.8 Jul 15

Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca

CVE-2026-61439 HIGH
8.7 Jul 11

System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection

Share

CVE-2026-61427 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy