PraisonAI Auth Bypass (CVE-2026-34953)

Patch now - CVE-2026-34953 is a critical authentication bypass in PraisonAI all versions prior to 4.5.97 that grants an unauthenticated remote attacker full administrative control of the AI agent team. Upgrade to version 4.5.97 immediately with no workarounds available.

Overview

A critical security flaw in the PraisonAI multi-agent system allows complete authentication bypass. The vulnerability, tracked as CVE-2026-34953, resides in the OAuthManager.validate_token() function. This function incorrectly returns True for any token not found in its internal storage, which is empty by default. Consequently, any HTTP request sent to the PraisonAI MCP server with an arbitrary Bearer token is treated as fully authenticated.

Technical Impact

With a CVSS score of 9.1 (Critical), this flaw is highly severe due to its network accessibility and lack of required privileges or user interaction. An unauthenticated remote attacker can send a request with any fabricated token (e.g., Bearer fake_token) and gain unrestricted access to the entire PraisonAI instance. This includes all registered tools, agent capabilities, and the underlying systems they can interact with, effectively handing over administrative control of the AI agent team to an attacker.

Affected Versions and Remediation

All versions of PraisonAI prior to version 4.5.97 are vulnerable.

Immediate Action Required:

1. Patch: Upgrade PraisonAI to version 4.5.97 or later immediately. This is the only complete remediation.
2. Isolate: If immediate patching is not possible, restrict network access to the PraisonAI MCP server. Ensure it is not exposed to the public internet and is placed behind strict network segmentation controls.
3. Monitor: Review access logs for any unusual activity or authentication attempts to the MCP server endpoint.

There are no viable workarounds or configuration changes to mitigate this flaw in vulnerable versions; the core authentication logic itself is defective.

Security Insight

This vulnerability is a stark example of the “default-deny” security principle implemented in reverse-where a system defaults to granting access. It mirrors classic flaws in early web applications where missing authentication logic was simply assumed. As AI agent systems like PraisonAI handle increasingly sensitive operations and data, this incident underscores that their foundational security controls require the same rigorous testing and design as traditional critical software, a point highlighted in our analysis of the AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis. The integration of powerful tools amplifies the impact of such a basic oversight, potentially providing attackers with a powerful foothold for automated attacks, akin to tools like CyberStrikeAI.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs