CVE-2026-61427
Received Received - Intake

PraisonAI MCP HTTP-Stream Unauthenticated Access

Vulnerability report for CVE-2026-61427, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-15

Last updated on: 2026-07-15

Assigner: VulnCheck

Description

PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream' without an API key, an unauthenticated client (no Authorization header, and no Origin header, which is also permitted) can initialize a session, enumerate the available tools (tools/list), and invoke tools (tools/call). Additionally, the dispatcher forwards tool-call arguments to handlers without validating them against the advertised inputSchema. The server binds to 127.0.0.1 by default, so remote exploitation requires the operator to bind to a network-accessible address (e.g., --host 0.0.0.0).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-15
Last Modified
2026-07-15
Generated
2026-07-15
AI Q&A
2026-07-15
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
praisonai praisonai to 4.6.78 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-61427 is an authentication bypass vulnerability in PraisonAI versions before 4.6.78. The MCP HTTP-stream transport does not require authentication by default. Attackers can initialize sessions, list available tools, and invoke tools without providing credentials. The dispatcher also forwards tool-call arguments without validating them against the advertised input schema.

Impact Analysis

This vulnerability allows unauthenticated attackers to abuse MCP tools, potentially leading to unauthorized data access, LLM-key or cost abuse, and other malicious activities. While no confirmed remote code execution was found in tested versions, the lack of input validation poses risks of tool function misuse.

Compliance Impact

This vulnerability could lead to unauthorized access to sensitive data, violating GDPR and HIPAA compliance requirements for data protection and access controls. The lack of authentication and input validation undermines security measures required by these regulations.

Detection Guidance

Check if PraisonAI is running with the MCP HTTP-stream transport without authentication. Verify if the server is bound to 0.0.0.0 or a network-accessible address. Use tools like curl to test unauthenticated access to endpoints like /tools/list or /tools/call.

Mitigation Strategies

Upgrade PraisonAI to version 4.6.78 or later. Configure a strong API key and enforce authentication by setting --api-key. Avoid binding the server to 0.0.0.0 unless necessary. Validate tool-call arguments against inputSchema.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-61427. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart