Authentication Bypass in PraisonAI by Mervin Praison
CVE-2026-61427
6.9MEDIUM
What is CVE-2026-61427?
PraisonAI versions prior to 4.6.78 present an authentication bypass vulnerability due to the exposure of its MCP HTTP-stream transport without proper authentication controls. By default, the CLI option for --api-key is set to None, allowing unauthenticated clients to initiate sessions and access various functionalities without the need for a valid Authorization header. This oversight enables unauthorized users to enumerate tools and invoke them, which could lead to unintended interactions with the system. To mitigate risks associated with this vulnerability, operators must ensure API keys are configured and not bind the server to publicly accessible addresses unless all security measures are in place.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
