CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14606 vulnerabilities reference this CWE, most recent first.
GHSA-VM3Q-7657-HF38
Vulnerability from github – Published: 2023-02-07 00:30 – Updated: 2023-02-15 18:30In Boa, there is a possible information disclosure due to a missing permission check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.
{
"affected": [],
"aliases": [
"CVE-2021-31576"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-02-06T22:15:00Z",
"severity": "HIGH"
},
"details": "In Boa, there is a possible information disclosure due to a missing permission check. This could lead to remote information disclosure to a proximal attacker with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: A20210008; Issue ID: OSBNB00123241.",
"id": "GHSA-vm3q-7657-hf38",
"modified": "2023-02-15T18:30:21Z",
"published": "2023-02-07T00:30:25Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-31576"
},
{
"type": "WEB",
"url": "https://corp.mediatek.com/product-security-acknowledgements"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VM49-QX2V-G672
Vulnerability from github – Published: 2026-02-11 06:30 – Updated: 2026-02-11 18:31The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.
{
"affected": [],
"aliases": [
"CVE-2025-15400"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-02-11T06:15:47Z",
"severity": "MODERATE"
},
"details": "The Pix para Woocommerce WordPress plugin through 2.13.3 allows any authenticated user to trigger AJAX actions that reset payment gateway configuration options without capability or nonce checks. This permits any authenticated users, such as subscribers to clear API credentials and webhook status, causing persistent disruption of OpenPix payment functionality.",
"id": "GHSA-vm49-qx2v-g672",
"modified": "2026-02-11T18:31:28Z",
"published": "2026-02-11T06:30:41Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15400"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/54c1251f-96be-4d70-b773-3db26b599838"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VM52-XW7F-3537
Vulnerability from github – Published: 2024-12-09 15:31 – Updated: 2026-04-28 21:35Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.
{
"affected": [],
"aliases": [
"CVE-2023-24407"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-12-09T13:15:22Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in WpDevArt Booking calendar, Appointment Booking System allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Booking calendar, Appointment Booking System: from n/a through 3.2.3.",
"id": "GHSA-vm52-xw7f-3537",
"modified": "2026-04-28T21:35:16Z",
"published": "2024-12-09T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24407"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/booking-calendar/vulnerability/wordpress-booking-calendar-appointment-booking-system-plugin-3-2-3-broken-access-control?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
]
}
GHSA-VM5M-QMRX-FW8W
Vulnerability from github – Published: 2024-01-24 15:30 – Updated: 2025-02-13 19:33Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don't have access. This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "apache-airflow"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.8.1rc1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-50944"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2024-01-24T21:01:04Z",
"nvd_published_at": "2024-01-24T13:15:08Z",
"severity": "HIGH"
},
"details": "Apache Airflow, versions before 2.8.1, have a vulnerability that allows an authenticated user to access the source code of a DAG to which they don\u0027t have access.\u00a0This vulnerability is considered low since it requires an authenticated user to exploit it. Users are recommended to upgrade to version 2.8.1, which fixes this issue.",
"id": "GHSA-vm5m-qmrx-fw8w",
"modified": "2025-02-13T19:33:14Z",
"published": "2024-01-24T15:30:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-50944"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/pull/36257"
},
{
"type": "WEB",
"url": "https://github.com/apache/airflow/commit/8d76538d6e105947272b000581c6fabec20146b1"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/airflow"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/apache-airflow/PYSEC-2024-14.yaml"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/92krb5mpcq8qrw4t4j5oooqw7hgd8q7h"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2024/01/24/5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Airflow: Bypass permission verification to read code of other dags"
}
GHSA-VM74-522R-GMH6
Vulnerability from github – Published: 2025-10-22 15:31 – Updated: 2026-01-20 15:31Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPGuppy: from n/a through <= 1.1.4.
{
"affected": [],
"aliases": [
"CVE-2025-49910"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-22T15:15:36Z",
"severity": "HIGH"
},
"details": "Missing Authorization vulnerability in AmentoTech Private Limited WPGuppy wpguppy-lite allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects WPGuppy: from n/a through \u003c= 1.1.4.",
"id": "GHSA-vm74-522r-gmh6",
"modified": "2026-01-20T15:31:23Z",
"published": "2025-10-22T15:31:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49910"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-4-broken-access-control-vulnerability"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/wpguppy-lite/vulnerability/wordpress-wpguppy-plugin-1-1-4-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VM99-C867-38Q4
Vulnerability from github – Published: 2024-07-17 09:30 – Updated: 2026-04-08 18:33The Event Manager, Events Calendar, Tickets, Registrations – Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the 'import_file' function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.
{
"affected": [],
"aliases": [
"CVE-2024-6033"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-07-17T07:15:03Z",
"severity": "MODERATE"
},
"details": "The Event Manager, Events Calendar, Tickets, Registrations \u2013 Eventin plugin for WordPress is vulnerable to unauthorized data importation due to a missing capability check on the \u0027import_file\u0027 function in all versions up to, and including, 4.0.4. This makes it possible for authenticated attackers, with Contributor-level access and above, to import events, speakers, schedules and attendee data.",
"id": "GHSA-vm99-c867-38q4",
"modified": "2026-04-08T18:33:33Z",
"published": "2024-07-17T09:30:48Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6033"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/wp-event-solution/trunk/core/admin/hooks.php#L135"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3117477"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1725c7f3-2fac-4714-a63e-6c43694483fc?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMC9-7CFM-FJW6
Vulnerability from github – Published: 2023-12-04 03:30 – Updated: 2023-12-07 15:30In firewall service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed
{
"affected": [],
"aliases": [
"CVE-2023-42713"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-04T01:15:10Z",
"severity": "MODERATE"
},
"details": "In firewall service, there is a possible way to write permission usage records of an app due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed",
"id": "GHSA-vmc9-7cfm-fjw6",
"modified": "2023-12-07T15:30:37Z",
"published": "2023-12-04T03:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-42713"
},
{
"type": "WEB",
"url": "https://www.unisoc.com/en_us/secy/announcementDetail/https://www.unisoc.com/en_us/secy/announcementDetail/1731138365803266049"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-VMF6-W6C6-596G
Vulnerability from github – Published: 2022-05-24 19:04 – Updated: 2022-05-24 19:04In LabCup before <v2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim's account. A user without the user-management privilege can change another user's email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.
{
"affected": [],
"aliases": [
"CVE-2021-33031"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-06-10T16:15:00Z",
"severity": "LOW"
},
"details": "In LabCup before \u003cv2_next_18022, it is possible to use the save API to perform unauthorized actions for users without access to user management in order to, after successful exploitation, gain access to a victim\u0027s account. A user without the user-management privilege can change another user\u0027s email address if the attacker knows details of the victim such as the exact roles and group roles, ID, and remote authentication ID settings. These must be sent in a modified save API request. It was fixed in 6.3.0.03.",
"id": "GHSA-vmf6-w6c6-596g",
"modified": "2022-05-24T19:04:51Z",
"published": "2022-05-24T19:04:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-33031"
},
{
"type": "WEB",
"url": "https://github.com/Accenture/AARO-Bugs/blob/master/AARO-CVE-List.md"
},
{
"type": "WEB",
"url": "https://labcup.net/privacy-data-security"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-VMF9-XX9W-86WX
Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
Summary
praisonaiagents.mcp.ToolsMCPServer.run_sse() builds a Starlette MCP
HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes
/sse and /messages/, but it does not validate Origin, does not validate
Host, and does not require any authentication.
This is reachable through supported PraisonAI code paths that wrap configured MCP server tools and re-expose them over legacy SSE:
praisonai mcp run <name> --transport ssepraisonai serve mcp --name <name> --transport sse- direct use of
ToolsMCPServer(...).run_sse(...)orlaunch_tools_mcp_server(..., transport="sse")
A malicious website can use DNS rebinding against a local or internal
PraisonAI SSE MCP server and send requests with attacker-controlled Host and
Origin headers. The local PoV binds only to 127.0.0.1, sends an attacker
Host and Origin, lists the registered tool, and invokes it successfully.
The same attacker Origin is rejected by PraisonAI's current Streamable HTTP
transport with HTTP 403. The vulnerability is therefore a sibling transport
guard gap in the legacy SSE wrapper, not intended behavior.
Affected product
- Repository:
MervinPraison/PraisonAI - Packages:
praisonaiagentspraisonai- Primary component:
src/praisonai-agents/praisonaiagents/mcp/mcp_server.py - CLI wrappers:
src/praisonai/praisonai/cli/commands/mcp.pysrc/praisonai/praisonai/cli/commands/serve.py- Latest verified release/current head:
praisonaiagents 1.6.58PraisonAI 4.6.58- repo head
1ad58ca02975ff1398efeda694ea2ab78f20cf3e
Suggested affected ranges:
praisonaiagents >= 0.6.0, <= 1.6.58praisonai >= 3.10.0, <= 4.6.58
No fixed version is known at submission time.
Confirmed source sweep:
v3.0.0 ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks
v3.10.0 praisonai mcp run --transport sse wraps configured tools into helper
v3.12.3 praisonai serve mcp --name --transport sse wraps configured tools
v4.0.0 same vulnerable helper and CLI wrapping paths
v4.4.12 same vulnerable helper and CLI wrapping paths
v4.5.0 same vulnerable helper and CLI wrapping paths
v4.5.56 same vulnerable helper and CLI wrapping paths
v4.5.139 same vulnerable helper and CLI wrapping paths
v4.6.57 same vulnerable helper and CLI wrapping paths
v4.6.58 same vulnerable helper and dynamic PoV succeeds
Impact
If a PraisonAI user starts a local or internal legacy SSE MCP server with registered tools, an attacker who gets that user to visit a malicious website can use DNS rebinding to interact with the SSE server through the browser. The attacker can discover exposed tools and invoke them as the local user.
Impact depends on the configured tools. In realistic PraisonAI MCP deployments, registered tools may access local files, repositories, issue trackers, cloud APIs, internal services, or other automation targets. This can lead to confidentiality, integrity, and availability impact for the resources reachable by the exposed tools.
The PoV is local-only and harmless. It exposes one marker tool that writes a canary string to a temporary directory.
Root cause
Current ToolsMCPServer.run_sse() constructs a Starlette app directly:
sse_path = "/sse"
messages_path = "/messages/"
sse_transport = SseServerTransport(messages_path)
async def handle_sse(request: Request):
async with sse_transport.connect_sse(
request.scope, request.receive, request._send
) as (read_stream, write_stream):
await mcp._mcp_server.run(
read_stream,
write_stream,
mcp._mcp_server.create_initialization_options()
)
app = Starlette(
debug=self._debug,
routes=[
Route(sse_path, endpoint=handle_sse),
Mount(messages_path, app=sse_transport.handle_post_message),
]
)
uvicorn.run(app, host=host, port=port)
There is no middleware or route-level check for:
OriginHostAuthorization- API key
- allowed origins / allowed hosts
The configured CLI wrapper exposes this path:
from praisonaiagents.mcp import MCP, ToolsMCPServer
cmd_string = " ".join(cmd)
mcp = MCP(cmd_string, timeout=60, env=server.env or {})
tools = mcp.get_tools()
mcp_server = ToolsMCPServer(name=name, tools=tools)
mcp_server.run_sse(host=host, port=port)
By contrast, the current Streamable HTTP transport validates Origin and
returns HTTP 403 for an invalid origin:
origin = request.headers.get("Origin")
if not self._validate_origin(origin):
return JSONResponse(..., status_code=403)
Local-only PoV
Run from the harness checkout:
uv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \
python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \
--repo-src artifacts/repos/praisonai-v4.6.58/src
Observed current-head result:
{
"candidate": "PRAI-CAND-015",
"http_stream_control": {
"attacker_origin": "http://attacker.example.test",
"rejects_attacker_origin": true,
"status_code": 403,
"transport": "current_http_stream"
},
"source_checks": {
"has_auth_check": false,
"has_host_check": false,
"has_origin_check": false,
"has_sse_transport": true,
"route_count": 2
},
"sse_probe": {
"attacker_headers": {
"Host": "attacker.example.test:62380",
"Origin": "http://attacker.example.test:62380"
},
"bind_host": "127.0.0.1",
"marker_value": "executed-from-attacker-origin",
"marker_written": true,
"server_started": true,
"tool_call_content": [
"recorded:executed-from-attacker-origin"
],
"tool_call_error": false,
"tool_names": [
"record_marker"
],
"vulnerable": true
},
"vulnerable": true
}
The PoV:
- imports the current
ToolsMCPServer; - registers one marker tool;
- monkey-patches
uvicorn.runonly to capture the exact Starlette app created byrun_sse(); - starts that app on
127.0.0.1; - connects to
/ssewith attacker-controlledHostandOrigin; - lists tools and calls the marker tool;
- runs a control against PraisonAI's current Streamable HTTP transport and
confirms the same attacker
Originis rejected with HTTP 403.
Why this is not intended behavior
This is not only a trust-model disagreement.
PraisonAI's MCP documentation describes Streamable HTTP, WebSocket, and legacy SSE as supported MCP transport mechanisms. The same documentation says the MCP module's security properties include origin validation, authentication headers, and secure session IDs. The transport guide also has a dedicated security section for origin validation as DNS rebinding prevention and authentication.
The official MCP specification warns that HTTP transports need origin validation to prevent DNS rebinding, should bind locally for local servers, and should implement authentication. It also says that without those protections, remote websites can interact with local MCP servers.
The upstream MCP Python SDK advisory GHSA-9h52-p55h-vw2f / CVE-2025-66416
classifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding
protection as a High severity issue because malicious websites can invoke tools
or access resources exposed by the local MCP server. That advisory also says
custom low-level SseServerTransport configurations should explicitly configure
transport security settings when running unauthenticated localhost servers.
PraisonAI's current Streamable HTTP implementation already enforces an Origin guard and rejects the exact attacker Origin used in the PoV. The issue is that the legacy SSE sibling path lacks the same boundary.
Suggested severity
Suggested severity: High.
Rationale:
AV: the attack uses browser-origin HTTP requests to a local/internal service.AC: practical exploitation requires DNS rebinding or equivalent browser origin setup.PR: no PraisonAI credentials are required by the SSE server.UR: the user must visit an attacker-controlled page.S: the vulnerable transport exposes tools that operate on resources outside the HTTP transport itself.C/I/A: exposed tools may read, mutate, or disrupt local/internal resources depending on the configured MCP server.
Suggested fix
Bring legacy SSE server security in line with the current Streamable HTTP transport, or disable the legacy SSE server path.
Recommended changes:
- Add explicit allowed-origin and allowed-host validation to both
/sseand/messages/. - Reject invalid
Originwith HTTP 403 before opening the SSE stream or accepting POST messages. - Validate
Hostfor local and internal deployments to mitigate DNS rebinding even when browsers omit or varyOrigin. - Require authentication for all non-stdio MCP HTTP transports, including SSE.
- Add
--api-key,--allowed-origins, and--allowed-hostsoptions topraisonai mcp runandpraisonai serve mcpwhen--transport sseis used. - Where the installed MCP SDK supports it, configure the SDK transport-security
settings for low-level
SseServerTransportusage instead of mounting it without Host/Origin protection. - Consider deprecating or disabling
--transport sseserver mode in favor of the current Streamable HTTP implementation. - Add regression tests proving that attacker
HostandOriginvalues are rejected on both/sseand/messages/, and that current Streamable HTTP and legacy SSE enforce the same boundary.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.58"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonaiagents"
},
"ranges": [
{
"events": [
{
"introduced": "0.6.0"
},
{
"fixed": "1.6.59"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.58"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "3.10.0"
},
{
"fixed": "4.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306",
"CWE-346",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:52:40Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "# PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools\n\n## Summary\n\n`praisonaiagents.mcp.ToolsMCPServer.run_sse()` builds a Starlette MCP\nHTTP+SSE server around `mcp.server.sse.SseServerTransport`. The server exposes\n`/sse` and `/messages/`, but it does not validate `Origin`, does not validate\n`Host`, and does not require any authentication.\n\nThis is reachable through supported PraisonAI code paths that wrap configured\nMCP server tools and re-expose them over legacy SSE:\n\n- `praisonai mcp run \u003cname\u003e --transport sse`\n- `praisonai serve mcp --name \u003cname\u003e --transport sse`\n- direct use of `ToolsMCPServer(...).run_sse(...)` or\n `launch_tools_mcp_server(..., transport=\"sse\")`\n\nA malicious website can use DNS rebinding against a local or internal\nPraisonAI SSE MCP server and send requests with attacker-controlled `Host` and\n`Origin` headers. The local PoV binds only to `127.0.0.1`, sends an attacker\n`Host` and `Origin`, lists the registered tool, and invokes it successfully.\n\nThe same attacker `Origin` is rejected by PraisonAI\u0027s current Streamable HTTP\ntransport with HTTP 403. The vulnerability is therefore a sibling transport\nguard gap in the legacy SSE wrapper, not intended behavior.\n\n## Affected product\n\n- Repository: `MervinPraison/PraisonAI`\n- Packages:\n - `praisonaiagents`\n - `praisonai`\n- Primary component:\n `src/praisonai-agents/praisonaiagents/mcp/mcp_server.py`\n- CLI wrappers:\n - `src/praisonai/praisonai/cli/commands/mcp.py`\n - `src/praisonai/praisonai/cli/commands/serve.py`\n- Latest verified release/current head:\n - `praisonaiagents 1.6.58`\n - `PraisonAI 4.6.58`\n - repo head `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n\nSuggested affected ranges:\n\n- `praisonaiagents \u003e= 0.6.0, \u003c= 1.6.58`\n- `praisonai \u003e= 3.10.0, \u003c= 4.6.58`\n\nNo fixed version is known at submission time.\n\nConfirmed source sweep:\n\n```text\nv3.0.0 ToolsMCPServer.run_sse helper present, no Origin/Host/auth checks\nv3.10.0 praisonai mcp run --transport sse wraps configured tools into helper\nv3.12.3 praisonai serve mcp --name --transport sse wraps configured tools\nv4.0.0 same vulnerable helper and CLI wrapping paths\nv4.4.12 same vulnerable helper and CLI wrapping paths\nv4.5.0 same vulnerable helper and CLI wrapping paths\nv4.5.56 same vulnerable helper and CLI wrapping paths\nv4.5.139 same vulnerable helper and CLI wrapping paths\nv4.6.57 same vulnerable helper and CLI wrapping paths\nv4.6.58 same vulnerable helper and dynamic PoV succeeds\n```\n\n## Impact\n\nIf a PraisonAI user starts a local or internal legacy SSE MCP server with\nregistered tools, an attacker who gets that user to visit a malicious website\ncan use DNS rebinding to interact with the SSE server through the browser. The\nattacker can discover exposed tools and invoke them as the local user.\n\nImpact depends on the configured tools. In realistic PraisonAI MCP deployments,\nregistered tools may access local files, repositories, issue trackers, cloud\nAPIs, internal services, or other automation targets. This can lead to\nconfidentiality, integrity, and availability impact for the resources reachable\nby the exposed tools.\n\nThe PoV is local-only and harmless. It exposes one marker tool that writes a\ncanary string to a temporary directory.\n\n## Root cause\n\nCurrent `ToolsMCPServer.run_sse()` constructs a Starlette app directly:\n\n```python\nsse_path = \"/sse\"\nmessages_path = \"/messages/\"\nsse_transport = SseServerTransport(messages_path)\n\nasync def handle_sse(request: Request):\n async with sse_transport.connect_sse(\n request.scope, request.receive, request._send\n ) as (read_stream, write_stream):\n await mcp._mcp_server.run(\n read_stream,\n write_stream,\n mcp._mcp_server.create_initialization_options()\n )\n\napp = Starlette(\n debug=self._debug,\n routes=[\n Route(sse_path, endpoint=handle_sse),\n Mount(messages_path, app=sse_transport.handle_post_message),\n ]\n)\n\nuvicorn.run(app, host=host, port=port)\n```\n\nThere is no middleware or route-level check for:\n\n- `Origin`\n- `Host`\n- `Authorization`\n- API key\n- allowed origins / allowed hosts\n\nThe configured CLI wrapper exposes this path:\n\n```python\nfrom praisonaiagents.mcp import MCP, ToolsMCPServer\ncmd_string = \" \".join(cmd)\nmcp = MCP(cmd_string, timeout=60, env=server.env or {})\ntools = mcp.get_tools()\nmcp_server = ToolsMCPServer(name=name, tools=tools)\nmcp_server.run_sse(host=host, port=port)\n```\n\nBy contrast, the current Streamable HTTP transport validates `Origin` and\nreturns HTTP 403 for an invalid origin:\n\n```python\norigin = request.headers.get(\"Origin\")\nif not self._validate_origin(origin):\n return JSONResponse(..., status_code=403)\n```\n\n## Local-only PoV\n\nRun from the harness checkout:\n\n```bash\nuv run --with mcp --with starlette --with uvicorn --with httpx --with anyio \\\n python submission-bundle/praisonai-prai-cand-015-mcp-sse-host-origin-bypass/poc/pov_prai_cand_015_sse_mcp_host_origin_bypass.py \\\n --repo-src artifacts/repos/praisonai-v4.6.58/src\n```\n\nObserved current-head result:\n\n```json\n{\n \"candidate\": \"PRAI-CAND-015\",\n \"http_stream_control\": {\n \"attacker_origin\": \"http://attacker.example.test\",\n \"rejects_attacker_origin\": true,\n \"status_code\": 403,\n \"transport\": \"current_http_stream\"\n },\n \"source_checks\": {\n \"has_auth_check\": false,\n \"has_host_check\": false,\n \"has_origin_check\": false,\n \"has_sse_transport\": true,\n \"route_count\": 2\n },\n \"sse_probe\": {\n \"attacker_headers\": {\n \"Host\": \"attacker.example.test:62380\",\n \"Origin\": \"http://attacker.example.test:62380\"\n },\n \"bind_host\": \"127.0.0.1\",\n \"marker_value\": \"executed-from-attacker-origin\",\n \"marker_written\": true,\n \"server_started\": true,\n \"tool_call_content\": [\n \"recorded:executed-from-attacker-origin\"\n ],\n \"tool_call_error\": false,\n \"tool_names\": [\n \"record_marker\"\n ],\n \"vulnerable\": true\n },\n \"vulnerable\": true\n}\n```\n\nThe PoV:\n\n1. imports the current `ToolsMCPServer`;\n2. registers one marker tool;\n3. monkey-patches `uvicorn.run` only to capture the exact Starlette app created\n by `run_sse()`;\n4. starts that app on `127.0.0.1`;\n5. connects to `/sse` with attacker-controlled `Host` and `Origin`;\n6. lists tools and calls the marker tool;\n7. runs a control against PraisonAI\u0027s current Streamable HTTP transport and\n confirms the same attacker `Origin` is rejected with HTTP 403.\n\n## Why this is not intended behavior\n\nThis is not only a trust-model disagreement.\n\nPraisonAI\u0027s MCP documentation describes Streamable HTTP, WebSocket, and legacy\nSSE as supported MCP transport mechanisms. The same documentation says the MCP\nmodule\u0027s security properties include origin validation, authentication headers,\nand secure session IDs. The transport guide also has a dedicated security\nsection for origin validation as DNS rebinding prevention and authentication.\n\nThe official MCP specification warns that HTTP transports need origin\nvalidation to prevent DNS rebinding, should bind locally for local servers, and\nshould implement authentication. It also says that without those protections,\nremote websites can interact with local MCP servers.\n\nThe upstream MCP Python SDK advisory `GHSA-9h52-p55h-vw2f` / `CVE-2025-66416`\nclassifies unauthenticated localhost HTTP/SSE MCP servers without DNS rebinding\nprotection as a High severity issue because malicious websites can invoke tools\nor access resources exposed by the local MCP server. That advisory also says\ncustom low-level `SseServerTransport` configurations should explicitly configure\ntransport security settings when running unauthenticated localhost servers.\n\nPraisonAI\u0027s current Streamable HTTP implementation already enforces an Origin\nguard and rejects the exact attacker Origin used in the PoV. The issue is that\nthe legacy SSE sibling path lacks the same boundary.\n\n\n## Suggested severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: the attack uses browser-origin HTTP requests to a local/internal\n service.\n- `AC`: practical exploitation requires DNS rebinding or equivalent browser\n origin setup.\n- `PR`: no PraisonAI credentials are required by the SSE server.\n- `UR`: the user must visit an attacker-controlled page.\n- `S`: the vulnerable transport exposes tools that operate on resources\n outside the HTTP transport itself.\n- `C/I/A`: exposed tools may read, mutate, or disrupt local/internal\n resources depending on the configured MCP server.\n\n## Suggested fix\n\nBring legacy SSE server security in line with the current Streamable HTTP\ntransport, or disable the legacy SSE server path.\n\nRecommended changes:\n\n1. Add explicit allowed-origin and allowed-host validation to both `/sse` and\n `/messages/`.\n2. Reject invalid `Origin` with HTTP 403 before opening the SSE stream or\n accepting POST messages.\n3. Validate `Host` for local and internal deployments to mitigate DNS rebinding\n even when browsers omit or vary `Origin`.\n4. Require authentication for all non-stdio MCP HTTP transports, including SSE.\n5. Add `--api-key`, `--allowed-origins`, and `--allowed-hosts` options to\n `praisonai mcp run` and `praisonai serve mcp` when `--transport sse` is used.\n6. Where the installed MCP SDK supports it, configure the SDK transport-security\n settings for low-level `SseServerTransport` usage instead of mounting it\n without Host/Origin protection.\n7. Consider deprecating or disabling `--transport sse` server mode in favor of\n the current Streamable HTTP implementation.\n8. Add regression tests proving that attacker `Host` and `Origin` values are\n rejected on both `/sse` and `/messages/`, and that current Streamable HTTP and\n legacy SSE enforce the same boundary.",
"id": "GHSA-vmf9-xx9w-86wx",
"modified": "2026-06-18T13:52:40Z",
"published": "2026-06-18T13:52:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vmf9-xx9w-86wx"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools"
}
GHSA-VMH7-68X6-GW3H
Vulnerability from github – Published: 2025-04-01 00:30 – Updated: 2025-11-03 21:33A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data.
{
"affected": [],
"aliases": [
"CVE-2025-24181"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-31T23:15:17Z",
"severity": "CRITICAL"
},
"details": "A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Ventura 13.7.5, macOS Sequoia 15.4, macOS Sonoma 14.7.5. An app may be able to access protected user data.",
"id": "GHSA-vmh7-68x6-gw3h",
"modified": "2025-11-03T21:33:18Z",
"published": "2025-04-01T00:30:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-24181"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122373"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122374"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122375"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/10"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/8"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Apr/9"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.