Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Published: 2026-04-03
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

PraisonAI allowed any unknown bearer token to be accepted as valid, enabling attackers to authenticate without a valid token. The flaw originates in the OAuthManager.validate_token() method, which returns true for tokens not found in its internal store. Because the store is empty by default, any arbitrary token grants full access to all tools and agent capabilities. The weakness maps to CWE-863 and results in unauthorized access to sensitive functionality.

Affected Systems

MervinPraison PraisonAI versions earlier than 4.5.97 are affected. The issue exists in the MCP server implementation before 4.5.97. Patching to version 4.5.97 or later removes the flaw.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity. The EPSS is below 1%, suggesting low current exploitation probability, but the vulnerability is not listed in the CISA KEV catalog. The attack can be executed simply by sending an HTTP request with any bearer token over the network to the MCP server. Because token validation is missing, exploitation is trivial for an attacker with network access, potentially leading to full system compromise.

Generated by OpenCVE AI on April 9, 2026 at 18:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch to version 4.5.97 or later.
  • If patching is not immediately possible, block or validate bearer tokens at the network perimeter.
  • Monitor incoming requests for unusual token usage and audit access logs.

Generated by OpenCVE AI on April 9, 2026 at 18:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-98f9-fqg5-hvq5 PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
History

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Title PraisonAI: Authentication Bypass in OAuthManager.validate_token()
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T16:04:54.615Z

Reserved: 2026-03-31T17:27:08.661Z

Link: CVE-2026-34953

cve-icon Vulnrichment

Updated: 2026-04-06T16:04:44.692Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:06.653

Modified: 2026-04-09T16:52:58.253

Link: CVE-2026-34953

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:45:32Z

Weaknesses