Compliance Impact

This vulnerability allows unauthenticated modification of the tool approval allowlist, which bypasses the human-in-the-loop safety mechanism designed to prevent unauthorized tool execution.

Such unauthorized access and control could lead to improper handling of sensitive data or unauthorized actions within the system, potentially violating security and privacy requirements mandated by standards like GDPR and HIPAA.

However, the provided information does not explicitly describe the direct impact on compliance with these regulations.

Useful 0 Not Useful 0

Executive Summary

This vulnerability exists in PraisonAI versions prior to 4.5.128 in the gateway's /api/approval/allow-list endpoint. When no authentication token is configured (which is the default setting), this endpoint allows unauthenticated users to modify the tool approval allowlist.

An attacker can add dangerous tool names such as shell_exec or file_write to this allowlist. Doing so causes the ExecApprovalManager to automatically approve all future invocations of those tools by agents, effectively bypassing the human-in-the-loop safety mechanism that is intended to control and approve tool usage.

This vulnerability is fixed in version 4.5.128.

Useful 0 Not Useful 0

Impact Analysis

The impact of this vulnerability is that an attacker can bypass critical safety controls by modifying the tool approval allowlist without authentication.

This allows the attacker to execute dangerous tools automatically, potentially leading to unauthorized code execution or file manipulation.

Because the human-in-the-loop approval mechanism is bypassed, malicious actions can proceed without oversight, increasing the risk of system compromise or data integrity issues.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves checking if the PraisonAI gateway's /api/approval/allow-list endpoint is accessible without authentication and if the auth_token is not configured (default setting).

One approach is to attempt accessing the /api/approval/allow-list endpoint on the PraisonAI gateway and observe if modifications to the tool approval allowlist can be made without authentication.

Since no specific commands or tools are provided in the context, a general method would be to use curl or similar HTTP clients to test the endpoint, for example:

• curl -X POST http://<praisonai_gateway>/api/approval/allow-list -d '{"tool_name":"shell_exec"}'

If the request succeeds without authentication and modifies the allowlist, the system is vulnerable.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade PraisonAI to version 4.5.128 or later, where this vulnerability is fixed.

If upgrading immediately is not possible, configure an auth_token on the gateway to prevent unauthenticated access to the /api/approval/allow-list endpoint.

Additionally, review and restrict access to the gateway to trusted users only, and monitor for any unauthorized modifications to the tool approval allowlist.

Useful 0 Not Useful 0