CVE-2026-47393: PraisonAI API Server Auth Disabled by Default

Q: What is CVE-2026-47393?

CVE-2026-47393 is a critical missing-authentication vulnerability (CWE-306) in PraisonAI. The API code generator creates Flask servers with authentication disabled by default; the check_auth() function returns True whenever AUTH_ENABLED is False, which is the default. The documented quickstart exposes /chat and /agents with no authentication.

Q: What is the impact of CVE-2026-47393?

Unauthenticated network attackers can invoke praisonai.run() on attacker-supplied JSON with the operator's LLM API keys in the process environment, gaining access to LLM orchestration, tool execution, and agent capabilities. CVSS 9.8 Critical.

Summary

CVE-2026-47393 is a critical (CVSS 9.8) vulnerability in PraisonAI. The API code generator creates Flask servers with authentication disabled by default. Operators following the documented quickstart — praisonai deploy --type api — receive a server that exposes the /chat and /agents endpoints and does not require any authentication.

The generated check_auth() function contains a short-circuit that returns True whenever AUTH_ENABLED = False — which is the default. Authentication is effectively opt-in, and nothing in the documented path turns it on.

Impact

An operator deploying via the vendor-documented quickstart obtains a network-reachable Flask server that invokes praisonai.run() on attacker-supplied JSON, with the user's LLM API keys present in the process environment. Attackers gain unauthenticated access to LLM orchestration, tool execution, and agent-defined capabilities — confidentiality, integrity, and availability impact (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Resolution

Upgrade to PraisonAI 4.6.40 or later. Until patched, do not expose generated API servers to untrusted networks, and explicitly enable authentication rather than relying on defaults. The deeper lesson for reviewers: an insecure default (CWE-1188) on a critical function (CWE-306) means the documented happy path is the vulnerable path — secure-by-default is the only default that survives copy-paste deployment.

References

Vendor Advisory (GHSA)↗SnailSploit Advisory↗MITRE↗NVD↗

Disclosure

Reported by SnailSploit. Status: Published. Coordinated with the PraisonAI maintainer; fixed in 4.6.40. See also the companion finding CVE-2026-47398 (code injection via unguarded exec_module).

Frequently asked

CVE-2026-47393 — questions & answers

What is CVE-2026-47393?

A critical missing-authentication vulnerability (CWE-306) in PraisonAI. The API code generator creates Flask servers with authentication disabled by default; check_auth() returns True whenever AUTH_ENABLED is False (the default). The documented quickstart exposes /chat and /agents with no authentication.

Am I affected by CVE-2026-47393?

You are affected if you deployed a PraisonAI API server (praisonai deploy --type api) on version 4.6.39 or earlier without explicitly enabling authentication. If reachable from an untrusted network, treat it as fully exposed.

How do I fix CVE-2026-47393?

Upgrade to PraisonAI 4.6.40 or later. Until then, do not expose generated API servers to untrusted networks and explicitly enable authentication instead of relying on defaults.

What is the impact of CVE-2026-47393?

Unauthenticated attackers can invoke praisonai.run() on attacker-supplied JSON with the operator's LLM API keys in the process environment — access to LLM orchestration, tool execution, and agent capabilities. CVSS 9.8 Critical.

Where can I find authoritative references?

The PraisonAI GitHub Security Advisory GHSA-8444-4fhq-fxpq, the MITRE CVE record for CVE-2026-47393, and the NVD detail page once published.