Authentication Bypass in PraisonAI by Mervin Praison
CVE-2026-61427

6.9MEDIUM

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61427?

PraisonAI versions prior to 4.6.78 present an authentication bypass vulnerability due to the exposure of its MCP HTTP-stream transport without proper authentication controls. By default, the CLI option for --api-key is set to None, allowing unauthenticated clients to initiate sessions and access various functionalities without the need for a valid Authorization header. This oversight enables unauthorized users to enumerate tools and invoke them, which could lead to unintended interactions with the system. To mitigate risks associated with this vulnerability, operators must ensure API keys are configured and not bind the server to publicly accessible addresses unless all security measures are in place.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dinhvaren
.