AI Threat Alert
## Summary The SSE (Server-Sent Events) server in `src/praisonai-agents/praisonaiagents/server/server.py` exposes a `/publish` endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The `ServerConfig` dataclass (line 24) defines an `auth_token` field, but...
Full CISO analysis pending enrichment.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI Agents | pip | <= 1.6.48 | 1.6.59 |
Do you use PraisonAI Agents? You're affected.
How severe is it?
What is the attack surface?
What should I do?
Patch available
Update PraisonAI Agents to version 1.6.59
Which compliance frameworks are affected?
Compliance analysis pending. Sign in for full compliance mapping when available.
Frequently Asked Questions
What is GHSA-35w5-pcw4-jx94?
## Summary The SSE (Server-Sent Events) server in `src/praisonai-agents/praisonaiagents/server/server.py` exposes a `/publish` endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The `ServerConfig` dataclass (line 24) defines an `auth_token` field, but this token is never validated in the `/publish` or `/events` request handlers. Any attacker with access to the SSE server port can inject arbitrary events into the SSE stream visible to all connected clients, or use `/info` to leak server configuration including connected client count. ## Details **Vulnerable code (lines 164–180):** ```python async def publish(request): try: data = await request.json() event_type = data.get("type", "message") event_data = data.get("data", {}) self.broadcast(event_type, event_data) return JSONResponse({ "success": True, "clients": len(self._clients), }) ``` The `auth_token` field in `ServerConfig` (line 31): ```python @dataclass class ServerConfig: ... auth_token: Optional[str] = None ``` This `auth_token` is **never referenced** in any request handler. The `/publish` endpoint processes any POST request regardless of authentication headers. The `/info` endpoint (line 182) also has no auth and returns server configuration including `self.config.to_dict()`. **Routes registration (lines 190–194):** ```python routes = [ Route("/health", health, methods=["GET"]), Route("/events", events, methods=["GET"]), Route("/publish", publish, methods=["POST"]), Route("/info", info, methods=["GET"]), ] ``` No authentication middleware or token validation is applied to any route. ## PoC **Setup:** Start the SSE server (default port 8765). This is the documented server mode for streaming agent events. **Positive trigger — unauthenticated event injection:** ```bash # From any network-reachable host: curl -X POST http://localhost:8765/publish \ -H "Content-Type: application/json" \ -d '{"type": "message", "data": {"text": "INJECTED: arbitrary content sent to all clients"}}' ``` **Expected response:** ```json {"success": true, "clients": 3} ``` The response confirms the injection was broadcast to all connected SSE clients, and leaks the number of connected clients. **Positive trigger — info leak:** ```bash curl http://localhost:8765/info ``` **Expected response:** ```json { "name": "PraisonAI Agent Server", "version": "1.0.0", "clients": 3, "config": { "host": "127.0.0.1", "port": 8765, "auth_token": "***", ... } } ``` **Negative control — if auth were enforced:** A request without a valid `Authorization: Bearer <token>` header should return 401 Unauthorized. Currently, it returns 200 OK with no auth check. **Cleanup:** No persistent changes. ## Impact An attacker with access to the SSE server port (default 8765, bound to `127.0.0.1` by default per `DEFAULT_HOST` at line 21) can: - **Inject arbitrary events** into the SSE stream, potentially causing connected client applications to process malicious data, trigger actions, or display misleading content - **Leak server configuration** including number of connected clients and server settings via `/info` - **Use the response** to confirm connected client count, enabling reconnaissance While the default binds to localhost, deployments in containers or cloud environments commonly override the host to `0.0.0.0` to allow external access. When the host is overridden, this is exploitable from the network without authentication. ## Suggested remediation 1. **Validate `auth_token`** in the `/publish` and `/events` handlers: ```python async def publish(request): token = request.headers.get("Authorization", "").replace("Bearer ", "") if self.config.auth_token and token != self.config.auth_token: return JSONResponse({"error": "Unauthorized"}, status_code=401) # ... proceed with broadcast ``` 2. Apply the same token validation to `/events` (for reading) and `/info`. 3. The default binding to `127.0.0.1` is appropriate; maintain this default and warn when overridden to `0.0.0.0`. 4. Document the `auth_token` configuration option and recommend setting it in production.
Is GHSA-35w5-pcw4-jx94 actively exploited?
No confirmed active exploitation of GHSA-35w5-pcw4-jx94 has been reported, but organizations should still patch proactively.
How to fix GHSA-35w5-pcw4-jx94?
Update to patched version: PraisonAI Agents 1.6.59.
What is the CVSS score for GHSA-35w5-pcw4-jx94?
GHSA-35w5-pcw4-jx94 has a CVSS v3.1 base score of 4.3 (MEDIUM).
What are the technical details?
Original Advisory
## Summary The SSE (Server-Sent Events) server in `src/praisonai-agents/praisonaiagents/server/server.py` exposes a `/publish` endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The `ServerConfig` dataclass (line 24) defines an `auth_token` field, but this token is never validated in the `/publish` or `/events` request handlers. Any attacker with access to the SSE server port can inject arbitrary events into the SSE stream visible to all connected clients, or use `/info` to leak server configuration including connected client count. ## Details **Vulnerable code (lines 164–180):** ```python async def publish(request): try: data = await request.json() event_type = data.get("type", "message") event_data = data.get("data", {}) self.broadcast(event_type, event_data) return JSONResponse({ "success": True, "clients": len(self._clients), }) ``` The `auth_token` field in `ServerConfig` (line 31): ```python @dataclass class ServerConfig: ... auth_token: Optional[str] = None ``` This `auth_token` is **never referenced** in any request handler. The `/publish` endpoint processes any POST request regardless of authentication headers. The `/info` endpoint (line 182) also has no auth and returns server configuration including `self.config.to_dict()`. **Routes registration (lines 190–194):** ```python routes = [ Route("/health", health, methods=["GET"]), Route("/events", events, methods=["GET"]), Route("/publish", publish, methods=["POST"]), Route("/info", info, methods=["GET"]), ] ``` No authentication middleware or token validation is applied to any route. ## PoC **Setup:** Start the SSE server (default port 8765). This is the documented server mode for streaming agent events. **Positive trigger — unauthenticated event injection:** ```bash # From any network-reachable host: curl -X POST http://localhost:8765/publish \ -H "Content-Type: application/json" \ -d '{"type": "message", "data": {"text": "INJECTED: arbitrary content sent to all clients"}}' ``` **Expected response:** ```json {"success": true, "clients": 3} ``` The response confirms the injection was broadcast to all connected SSE clients, and leaks the number of connected clients. **Positive trigger — info leak:** ```bash curl http://localhost:8765/info ``` **Expected response:** ```json { "name": "PraisonAI Agent Server", "version": "1.0.0", "clients": 3, "config": { "host": "127.0.0.1", "port": 8765, "auth_token": "***", ... } } ``` **Negative control — if auth were enforced:** A request without a valid `Authorization: Bearer <token>` header should return 401 Unauthorized. Currently, it returns 200 OK with no auth check. **Cleanup:** No persistent changes. ## Impact An attacker with access to the SSE server port (default 8765, bound to `127.0.0.1` by default per `DEFAULT_HOST` at line 21) can: - **Inject arbitrary events** into the SSE stream, potentially causing connected client applications to process malicious data, trigger actions, or display misleading content - **Leak server configuration** including number of connected clients and server settings via `/info` - **Use the response** to confirm connected client count, enabling reconnaissance While the default binds to localhost, deployments in containers or cloud environments commonly override the host to `0.0.0.0` to allow external access. When the host is overridden, this is exploitable from the network without authentication. ## Suggested remediation 1. **Validate `auth_token`** in the `/publish` and `/events` handlers: ```python async def publish(request): token = request.headers.get("Authorization", "").replace("Bearer ", "") if self.config.auth_token and token != self.config.auth_token: return JSONResponse({"error": "Unauthorized"}, status_code=401) # ... proceed with broadcast ``` 2. Apply the same token validation to `/events` (for reading) and `/info`. 3. The default binding to `127.0.0.1` is appropriate; maintain this default and warn when overridden to `0.0.0.0`. 4. Document the `auth_token` configuration option and recommend setting it in production.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-39888 10.0 praisonaiagents: sandbox escape enables host RCE
Same package: praisonaiagents CVE-2026-34938 10.0 praisonaiagents: sandbox bypass enables full host RCE
Same package: praisonaiagents CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonaiagents GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonaiagents CVE-2026-47391 9.8 PraisonAI: Unauth RCE via A2A eval injection
Same package: praisonaiagents