CVE-2026-34953
Received Received - Intake

Authentication Bypass in PraisonAI OAuthManager Grants Full Access

Vulnerability report for CVE-2026-34953, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-03

Last updated on: 2026-04-09

Assigner: GitHub, Inc.

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-03
Last Modified
2026-04-09
Generated
2026-07-06
AI Q&A
2026-04-04
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praison praisonai to 4.5.97 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

The vulnerability occurs because the OAuthManager.validate_token() method returns True for any token not found in its internal store, which is empty by default. This means any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated.

To detect this vulnerability on your system or network, you can attempt to send HTTP requests to the MCP server using arbitrary Bearer tokens and observe if access is granted.

A simple command to test this could be using curl to send a request with a random Bearer token:

  • curl -H "Authorization: Bearer randomtoken123" http://<MCP_server_address>/

If the server responds with access granted or does not reject the token, it indicates the vulnerability is present.

Note that this vulnerability is patched in version 4.5.97, so verifying the version of PraisonAI OAuthManager is also important.

Executive Summary

The vulnerability exists in PraisonAI's OAuthManager.validate_token() function prior to version 4.5.97. This function incorrectly returns True for any token that is not found in its internal store, which is empty by default. As a result, any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated.

This means that an attacker can use any token, even one that is invalid or fabricated, to gain access to the system.

Impact Analysis

Because any arbitrary Bearer token is accepted as valid, an attacker can gain full access to all registered tools and agent capabilities within the PraisonAI system.

This can lead to unauthorized access, data exposure, manipulation of system functions, and potentially compromise the integrity and confidentiality of the system.

Mitigation Strategies

The vulnerability can be mitigated by upgrading PraisonAI to version 4.5.97 or later, where the issue with OAuthManager.validate_token() has been patched.

Compliance Impact

This vulnerability allows any HTTP request with an arbitrary Bearer token to be treated as authenticated, granting full access to all registered tools and agent capabilities.

Such unauthorized access could lead to exposure or misuse of sensitive data, which may violate data protection requirements under standards like GDPR and HIPAA.

Therefore, this issue could negatively impact compliance with these regulations by failing to properly secure authentication and protect sensitive information.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34953. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart