PT-2026-53146 · Pypi · Praisonai
Published
2026-06-18
·
Updated
2026-06-18
CVSS v3.1
8.3
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L |
PraisonAI Slack app mention bypasses configured user/channel authorization
Summary
PraisonAI's Slack bot applies its configured
allowed users,
allowed channels, and unknown-user pairing policy in the normal Slack
message event handler, but not in the adjacent Slack app mention event
handler.A Slack workspace user who can mention the bot in a channel where the Slack app
is present can trigger the configured PraisonAI agent even when:
- the sender is not in
BotConfig.allowed users; - the channel is not in
BotConfig.allowed channels; unknown user policy="deny"is configured; and- the same event content is correctly dropped by the normal
messagehandler.
This is a sibling-handler guard-coverage issue. Slack documents
app mention as a distinct event type rather than a message.* event, so
deployments subscribed to app mentions can route unauthorized sender input
around the guarded message path.Affected product
- Repository:
MervinPraison/PraisonAI - Package:
praisonai - Component:
src/praisonai/praisonai/bots/slack.py - Configuration component:
src/praisonai-agents/praisonaiagents/bots/config.py
Confirmed affected:
text
v3.11.0 7f37d754a72511a71f7eeaaa8e9f367a5dc45fd8
v3.11.14 44b800df0eddf32dd5242f47da7513e4a3159d76
v3.12.0 51f95ad904a6616b35caede1cd74026ec8f7152c
v4.4.5 9a3363c900fa3be3fce5483be7f6c1f418757ebb
v4.4.6 90b00f9a25ee5c7ccf4b6ab3152700e1881f262d
v4.4.12 7d0657632fc477673153ad116cecf692b454bfa3
v4.5.2 8ddbb4ee7152d3fa68fbaaf6e6c610ae03d938d3
v4.5.16 02a19776517cc76483fd58dcd6a5fdf8c2c45170
v4.5.28 16f93251766505a79f237a0f07f68a0ecb17e358
v4.5.112 bfe3d94bad6db92fc2927c2e3c081ae8303e209e
v4.5.128 b4e3a8a84ade44ac3dd9102b792cdb4311a95937
v4.6.10 4b1b17b963cbd0625e41394a30168c95b26429b2
v4.6.33 dfbb8d78ec7e8dc7118bc722ab1b2524bc98ddab
v4.6.34 e5928449f73f66cc8af1de61621aa974ab255133
v4.6.56 d3c4a2afadfbf3a3e172e460e607ba4efad263a6
v4.6.57 e90d92231853161ad931f3498da57651a9f8b528
v4.6.58 1ad58ca02975ff1398efeda694ea2ab78f20cf3eUnaffected boundary control:
text
v3.10.24 de1734c29a50af18cf8c69e1d1d90e0f8e391aaev3.10.24 does not contain src/praisonai/praisonai/bots/slack.py.Suggested affected range:
praisonai >= 3.11.0, <= 4.6.58.Root cause
The guarded
message handler converts the Slack event into a BotMessage,
then applies channel and sender policy before any agent call:python
@self. app.event("message")
async def handle message(event, say):
if event.get("bot id"):
return
bot message = self. convert event to message(event)
bot message. channel type = "slack"
self.fire message received(bot message)
if not self.config.is channel allowed(
bot message.channel.channel id if bot message.channel else ""
):
return
user id = bot message.sender.user id if bot message.sender else ""
is explicitly allowed = (
bool(self.config.allowed users) and self.config.is user allowed(user id)
)
if not is explicitly allowed:
user allowed = await UnknownUserHandler.handle(bot message, self. bot context)
if not user allowed:
returnOnly after these checks does
handle message call the session manager and
agent.The adjacent
app mention handler strips the bot mention and directly invokes
the agent session. It never calls is channel allowed(),
is user allowed(), or UnknownUserHandler.handle():python
@self. app.event("app mention")
async def handle mention(event, say):
if event.get("bot id"):
return
text = event.get("text", "")
if self. bot user:
text = text.replace(f"<@{self. bot user.user id}>", "").strip()
if self. agent:
user id = event.get("user", "unknown")
response = await self. session.chat(
self. agent, user id, text,
chat id=str(event.get("channel", "")),
thread id=event.get("thread ts", "") or "",
message id=event.get("ts", ""),
account=self. config.get("account", "default"),
)Older affected releases use
self. agent.chat(text) instead of
self. session.chat(...), but have the same policy gap: message checks
allowed users and allowed channels; app mention does not.Local-only PoV
Run from the harness checkout:
fish
env PYTHONPATH="artifacts/repos/praisonai-v4.6.58/src/praisonai:artifacts/repos/praisonai-v4.6.58/src/praisonai-agents"
python3 submission-bundle/praisonai-prai-cand-017-slack-app-mention-authz-bypass/poc/pov prai cand 017 slack app mention authz bypass.py
--repo artifacts/repos/praisonai-v4.6.58
--label v4.6.58The PoV mocks Slack Bolt and Slack SDK in-process. It does not connect to
Slack, bind a network port, or require real tokens.
The PoV configures:
python
BotConfig(
allowed users=["U ALLOWED"],
allowed channels=["C ALLOWED"],
unknown user policy="deny",
mention required=True,
)It then invokes the real registered SlackBot handlers with the same event
payloads.
Observed
v4.6.58 result:json
{
"affected": true,
"scenarios": [
{
"name": "blocked user blocked channel",
"message delta": 0,
"app mention delta": 1
},
{
"name": "blocked user allowed channel",
"message delta": 0,
"app mention delta": 1
},
{
"name": "allowed user blocked channel",
"message delta": 0,
"app mention delta": 1
},
{
"name": "allowed user allowed channel control",
"message delta": 1,
"app mention delta": 1
}
]
}The first three scenarios are authorization bypasses. The fourth is the
positive control showing that an allowed user in an allowed channel can invoke
the agent through both paths.
Stored evidence:
evidence/pov-v4.6.58.jsonevidence/version-sweep.tsv
Why this is not intended behavior
PraisonAI's bot security documentation describes Slack user/channel allowlists
and built-in DM filtering as Slack security features. It also describes
unknown user policy="deny" and pairing flows as production controls for
unknown users.The code itself confirms the intended boundary: the normal
message handler
performs channel and sender authorization before any agent call. The vulnerable
app mention path is adjacent to that handler and routes the same sender,
channel, text, timestamp, and thread metadata to the agent without those checks.Slack's own documentation states that
app mention is a separate event type,
not a message.* event. A PraisonAI deployment that subscribes to
app mention therefore cannot rely on the normal message handler to apply
the same sender/channel policy.The PoV includes a direct control: the same unauthorized payloads are dropped
by the guarded
message handler and accepted by app mention.Impact
An attacker needs the ability to cause Slack to deliver an
app mention event
to the PraisonAI Slack app, such as by mentioning the bot in a channel where the
app is present or by using Slack's invite-by-mention flow where applicable.When exploited, the attacker can submit arbitrary prompt text to the configured
PraisonAI agent despite Slack bot allowlists or pairing policy. The downstream
impact depends on the deployed agent and tools. PraisonAI's default bot config
auto-approves safe tools and includes web, memory, scheduling, file, planning,
and skill tools, so unauthorized invocation can affect confidentiality and
integrity in real deployments.
This report does not claim compromise of Slack itself, bypass of Slack request
signature verification, or arbitrary code execution by default.
Suggested fix
Use one shared authorization preflight for every Slack ingress path before
firing message hooks or invoking agents.
Concrete patch direction:
- Convert
app mentionevents throughconvert event to message()or a dedicated equivalent that preserves sender, channel, text, timestamp, and thread metadata. - Set
bot message. channel type = "slack"forapp mention. - Run the same channel check, user allowlist check, and
UnknownUserHandler.handle(...)policy used byhandle message. - Only then strip the bot mention and invoke
session.chat(...). - Add regression tests for:
- blocked user plus blocked channel:
messageandapp mentionboth drop; - blocked user in allowed channel: both drop;
- allowed user in blocked channel: both drop;
- allowed user in allowed channel: both invoke;
unknown user policy="pair":app mentionstarts the same pairing flow instead of invoking the agent.
Fix
Missing Authorization
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Praisonai