Authentication Bypass in PraisonAI Affects Remote Users
CVE-2026-61435
8.8HIGH
What is CVE-2026-61435?
An authentication bypass vulnerability exists in PraisonAI up to version 4.6.78, where improper handling of the Host header allows remote attackers to invoke API endpoints without authentication. The flaw arises when the PRAISONAI_CALL_AUTH parameter is set to disabled, permitting unauthorized access to both agent listing and invocation functionalities through the manipulation of the HTTP Host header. Attackers can exploit this misconfiguration by sending a crafted request that mimics legitimate localhost binding, thereby bypassing intended security mechanisms.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
