PT-2026-53120 · Pypi · Praisonaiagents

Published

2026-06-18

·

Updated

2026-06-18

CVSS v3.1

4.3

Medium

VectorAV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Summary

The SSE (Server-Sent Events) server in src/praisonai-agents/praisonaiagents/server/server.py exposes a /publish endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The ServerConfig dataclass (line 24) defines an auth token field, but this token is never validated in the /publish or /events request handlers. Any attacker with access to the SSE server port can inject arbitrary events into the SSE stream visible to all connected clients, or use /info to leak server configuration including connected client count.

Details

Vulnerable code (lines 164–180):
python
async def publish(request):
  try:
    data = await request.json()
    event type = data.get("type", "message")
    event data = data.get("data", {})

    self.broadcast(event type, event data)

    return JSONResponse({
      "success": True,
      "clients": len(self. clients),
    })
The auth token field in ServerConfig (line 31):
python
@dataclass
class ServerConfig:
  ...
  auth token: Optional[str] = None
This auth token is never referenced in any request handler. The /publish endpoint processes any POST request regardless of authentication headers. The /info endpoint (line 182) also has no auth and returns server configuration including self.config.to dict().
Routes registration (lines 190–194):
python
routes = [
  Route("/health", health, methods=["GET"]),
  Route("/events", events, methods=["GET"]),
  Route("/publish", publish, methods=["POST"]),
  Route("/info", info, methods=["GET"]),
]
No authentication middleware or token validation is applied to any route.

PoC

Setup: Start the SSE server (default port 8765). This is the documented server mode for streaming agent events.
Positive trigger — unauthenticated event injection:
bash
# From any network-reachable host:
curl -X POST http://localhost:8765/publish 
 -H "Content-Type: application/json" 
 -d '{"type": "message", "data": {"text": "INJECTED: arbitrary content sent to all clients"}}'
Expected response:
json
{"success": true, "clients": 3}
The response confirms the injection was broadcast to all connected SSE clients, and leaks the number of connected clients.
Positive trigger — info leak:
bash
curl http://localhost:8765/info
Expected response:
json
{
 "name": "PraisonAI Agent Server",
 "version": "1.0.0",
 "clients": 3,
 "config": {
  "host": "127.0.0.1",
  "port": 8765,
  "auth token": "***",
  ...
 }
}
Negative control — if auth were enforced: A request without a valid Authorization: Bearer <token> header should return 401 Unauthorized. Currently, it returns 200 OK with no auth check.
Cleanup: No persistent changes.

Impact

An attacker with access to the SSE server port (default 8765, bound to 127.0.0.1 by default per DEFAULT HOST at line 21) can:
  • Inject arbitrary events into the SSE stream, potentially causing connected client applications to process malicious data, trigger actions, or display misleading content
  • Leak server configuration including number of connected clients and server settings via /info
  • Use the response to confirm connected client count, enabling reconnaissance
While the default binds to localhost, deployments in containers or cloud environments commonly override the host to 0.0.0.0 to allow external access. When the host is overridden, this is exploitable from the network without authentication.

Suggested remediation

  1. Validate auth token in the /publish and /events handlers:
python
async def publish(request):
  token = request.headers.get("Authorization", "").replace("Bearer ", "")
  if self.config.auth token and token != self.config.auth token:
    return JSONResponse({"error": "Unauthorized"}, status code=401)
  # ... proceed with broadcast
  1. Apply the same token validation to /events (for reading) and /info.
  2. The default binding to 127.0.0.1 is appropriate; maintain this default and warn when overridden to 0.0.0.0.
  3. Document the auth token configuration option and recommend setting it in production.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

GHSA-35W5-PCW4-JX94

Affected Products

Praisonaiagents