GHSA-8ccj-p46r-jwqq: PraisonAI auth bypass exposes

Q: Is GHSA-8ccj-p46r-jwqq actively exploited?

No confirmed active exploitation of GHSA-8ccj-p46r-jwqq has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-8ccj-p46r-jwqq?

1. Patch immediately: upgrade to praisonai ≥ 4.6.61. 2. Audit all Docker Compose files, Kubernetes ConfigMaps, and environment configs for `PRAISONAI_CALL_AUTH=disabled` — remove or replace with a strong token. 3. If patching is temporarily blocked, restrict network access to the invoke API endpoint at the firewall or ingress layer — do not expose it publicly. 4. Review agent tool configurations and apply least-privilege: disable tools that grant shell, file, or database access unless strictly required. 5. Search logs for unauthenticated POST requests to `/api/v1/agents/*/invoke` to determine if exploitation occurred before the patch.

Q: What systems are affected by GHSA-8ccj-p46r-jwqq?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration pipelines, containerized AI deployments, API-based agent orchestration, agentic tool execution environments.

Q: What is the CVSS score for GHSA-8ccj-p46r-jwqq?

GHSA-8ccj-p46r-jwqq has a CVSS v3.1 base score of 8.2 (HIGH).

CISO Take

PraisonAI versions before 4.6.61 contain an authentication bypass where setting the environment variable `PRAISONAI_CALL_AUTH=disabled` unconditionally skips all token verification on the `/api/v1/agents/{id}/invoke` endpoint, granting any unauthenticated caller full access to invoke registered agents. The severity is compounded by the fact that the application's own error messages advertise this bypass, making it nearly certain to appear in production Docker and Compose configurations as an operations convenience — the CVSS 8.2 score reflects network-accessible, zero-privilege, zero-interaction exploitation. With 104 prior CVEs in the same package and agents typically configured with tools that execute code, access filesystems, or call external APIs, the blast radius of an unauthorized invocation can extend well beyond data disclosure. Upgrade to praisonai ≥ 4.6.61 immediately and audit all container environment configurations for `PRAISONAI_CALL_AUTH=disabled`.

Sources: GitHub Advisory ATLAS NVD

What is the risk?

High risk. The exploitation bar is trivially low — an attacker needs only to discover an exposed PraisonAI instance with the auth-disabled flag, which is likely given that the application itself suggests this configuration in error messages. The CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms no preconditions. Impact depends entirely on what tools each registered agent has access to, which in agentic deployments can include code execution, file I/O, and external API calls — making this a lateral-movement amplifier in any environment where PraisonAI is network-exposed.

How does the attack unfold?

Discovery

Attacker identifies an internet-exposed PraisonAI instance via port scanning or Shodan, or receives a hint from the application's own error message advertising the `PRAISONAI_CALL_AUTH=disabled` bypass.

AML.T0006

Authentication Bypass

Attacker sends an unauthenticated POST request to `/api/v1/agents/{id}/invoke` and receives a 200 response, confirming the auth-disabled flag is set and all token verification is skipped unconditionally.

AML.T0049

Agent Enumeration

Attacker queries available agent IDs and inspects their tool definitions to identify which agents have access to high-value capabilities such as shell execution, file I/O, or external API connectors.

AML.T0084

Impact via Tool Invocation

Attacker invokes the highest-privilege agent with a crafted payload, achieving arbitrary code execution, data exfiltration, or lateral movement depending on the tools configured for that agent.

AML.T0053

Discovery

Attacker identifies an internet-exposed PraisonAI instance via port scanning or Shodan, or receives a hint from the application's own error message advertising the `PRAISONAI_CALL_AUTH=disabled` bypass.

AML.T0006

Authentication Bypass

Attacker sends an unauthenticated POST request to `/api/v1/agents/{id}/invoke` and receives a 200 response, confirming the auth-disabled flag is set and all token verification is skipped unconditionally.

AML.T0049

Agent Enumeration

Attacker queries available agent IDs and inspects their tool definitions to identify which agents have access to high-value capabilities such as shell execution, file I/O, or external API connectors.

AML.T0084

Impact via Tool Invocation

Attacker invokes the highest-privilege agent with a crafted payload, achieving arbitrary code execution, data exfiltration, or lateral movement depending on the tools configured for that agent.

AML.T0053

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	< 4.6.61	`4.6.61`
1 dependents 89% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1

8.2 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I Low

A None

What should I do?

5 steps

Patch immediately: upgrade to praisonai ≥ 4.6.61.
Audit all Docker Compose files, Kubernetes ConfigMaps, and environment configs for PRAISONAI_CALL_AUTH=disabled — remove or replace with a strong token.
If patching is temporarily blocked, restrict network access to the invoke API endpoint at the firewall or ingress layer — do not expose it publicly.
Review agent tool configurations and apply least-privilege: disable tools that grant shell, file, or database access unless strictly required.
Search logs for unauthenticated POST requests to /api/v1/agents/*/invoke to determine if exploitation occurred before the patch.

How is it classified?

Auth Bypass Code Execution Agent API AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0084 - Discover AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

6.1.2 - AI risk assessment — access control to AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain effectiveness of risk responses for AI risks

OWASP LLM Top 10

LLM06 - Excessive Agency

Frequently Asked Questions

What is GHSA-8ccj-p46r-jwqq?

PraisonAI versions before 4.6.61 contain an authentication bypass where setting the environment variable `PRAISONAI_CALL_AUTH=disabled` unconditionally skips all token verification on the `/api/v1/agents/{id}/invoke` endpoint, granting any unauthenticated caller full access to invoke registered agents. The severity is compounded by the fact that the application's own error messages advertise this bypass, making it nearly certain to appear in production Docker and Compose configurations as an operations convenience — the CVSS 8.2 score reflects network-accessible, zero-privilege, zero-interaction exploitation. With 104 prior CVEs in the same package and agents typically configured with tools that execute code, access filesystems, or call external APIs, the blast radius of an unauthorized invocation can extend well beyond data disclosure. Upgrade to praisonai ≥ 4.6.61 immediately and audit all container environment configurations for `PRAISONAI_CALL_AUTH=disabled`.

Is GHSA-8ccj-p46r-jwqq actively exploited?

No confirmed active exploitation of GHSA-8ccj-p46r-jwqq has been reported, but organizations should still patch proactively.

How to fix GHSA-8ccj-p46r-jwqq?

1. Patch immediately: upgrade to praisonai ≥ 4.6.61. 2. Audit all Docker Compose files, Kubernetes ConfigMaps, and environment configs for `PRAISONAI_CALL_AUTH=disabled` — remove or replace with a strong token. 3. If patching is temporarily blocked, restrict network access to the invoke API endpoint at the firewall or ingress layer — do not expose it publicly. 4. Review agent tool configurations and apply least-privilege: disable tools that grant shell, file, or database access unless strictly required. 5. Search logs for unauthenticated POST requests to `/api/v1/agents/*/invoke` to determine if exploitation occurred before the patch.

What systems are affected by GHSA-8ccj-p46r-jwqq?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration pipelines, containerized AI deployments, API-based agent orchestration, agentic tool execution environments.

What is the CVSS score for GHSA-8ccj-p46r-jwqq?

GHSA-8ccj-p46r-jwqq has a CVSS v3.1 base score of 8.2 (HIGH).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestration pipelinescontainerized AI deploymentsAPI-based agent orchestrationagentic tool execution environments

MITRE ATLAS Techniques

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0084 Discover AI Agent Configuration

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 6.1.2

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

### Summary Setting `PRAISONAI_CALL_AUTH=disabled` completely disables all authentication on the `/api/v1/agents/{id}/invoke` endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations. ### Details ```python # src/praisonai/praisonai/api/agent_invoke.py:32 _CALL_AUTH_DISABLED = os.getenv('PRAISONAI_CALL_AUTH', '').lower() == 'disabled' async def verify_token(...) -> None: if _CALL_AUTH_DISABLED: return # all authentication skipped unconditionally ``` The application's own error message advertises the bypass: > "Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication." This causes the setting to appear in Docker/Compose configurations as a convenience option. ### Proof of Concept ```python import os os.environ["PRAISONAI_CALL_AUTH"] = "disabled" # verify_token() now returns immediately for any request # POST /api/v1/agents/any-agent/invoke → 200 OK (no token needed) ``` Common vulnerable deployment: ```yaml # docker-compose.yml environment: - PRAISONAI_CALL_AUTH=disabled # auth completely disabled ``` ### Impact Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.

Exploitation Scenario

An attacker scans for internet-exposed PraisonAI instances using Shodan or similar (searching for the characteristic API path or Docker image). Upon discovering a target, they send an unauthenticated POST to `/api/v1/agents/any-id/invoke` — if the server returns a 200 rather than a 401, authentication is disabled. The attacker then enumerates available agents and their tool definitions, identifies one with shell execution or file system access, and invokes it with a crafted payload to achieve code execution or data exfiltration on the host. In a containerized environment, this can escalate to container escape if the agent has privileged mounts.

Weaknesses (CWE)

CWE-287 Improper Authentication Primary

CWE-287 — Improper Authentication: When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.