Authentication Bypass in PraisonAI Affects Remote Users
CVE-2026-61435

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61435?

An authentication bypass vulnerability exists in PraisonAI up to version 4.6.78, where improper handling of the Host header allows remote attackers to invoke API endpoints without authentication. The flaw arises when the PRAISONAI_CALL_AUTH parameter is set to disabled, permitting unauthorized access to both agent listing and invocation functionalities through the manipulation of the HTTP Host header. Attackers can exploit this misconfiguration by sending a crafted request that mimics legitimate localhost binding, thereby bypassing intended security mechanisms.

Affected Version(s)

PraisonAI 0 < 4.6.78

PraisonAI 4.6.78

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

rexpository
.