PraisonAI Authentication Bypass Vulnerability in OAuth Token Validation

An authentication bypass vulnerability has been identified in PraisonAI versions prior to 4.5.97. The issue arises in the OAuthManager.validate_token() method, which incorrectly validates tokens. By default, the internal token store is empty, causing the method to return True for any token not explicitly stored. This flaw allows unauthenticated users to send HTTP requests to the MCP server with arbitrary Bearer tokens, gaining unauthorized access to all registered tools and agent capabilities.

Impact

Exploitation of this vulnerability allows any unauthenticated attacker with network access to the MCP HTTP server to invoke all registered tools. This includes executing agents, running workflows, reading or writing files through container operations, and loading skills. The MCP server, by default, listens on all network interfaces without requiring an API key for access.

Reproduction

To reproduce this vulnerability, install PraisonAI using pip with the command 'pip install -e src/praisonai'. After installation, start the MCP server on port 8080 using the command 'praisonai mcp serve --transport http-stream --port 8080'. Once the server is running, send a POST request to the MCP endpoint at 'http://127.0.0.1:8080/mcp' with a fake Bearer token in the Authorization header and a JSON-RPC payload requesting the 'tools/list' method. The server will respond with a 200 OK status and a full list of tools, including sensitive agent and workflow commands.

Remediation

Users can update to PraisonAI version 4.5.97 or later, where this vulnerability has been patched.