PraisonAI Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls

A vulnerability in PraisonAI versions prior to 4.5.128 allows unauthenticated users to modify the tool approval allowlist through the gateway's /api/approval/allow-list endpoint. This issue arises when no auth_token is configured, which is the default setting. By adding names of dangerous tools, such as shell_exec and file_write, to the allowlist, an attacker can manipulate the ExecApprovalManager to automatically approve future uses of those tools by agents. This bypasses the intended human review process, creating a significant safety risk.

Impact

Exploitation of this vulnerability disables human oversight for approved tools, allowing agents to execute potentially harmful operations without review. The manipulation of the allowlist is persistent for the duration of the gateway process and lacks any audit trail. While the vulnerability primarily affects local attackers due to the default binding on 127.0.0.1, it can be exploited remotely from any website via the user's browser, if combined with the separately-reported CORS wildcard origin.

Reproduction

The vulnerability can be reproduced by sending a POST request to the /api/approval/allow-list endpoint without an auth_token. The request must include a tool name that is considered dangerous, such as shell_exec or file_write. Once the tool is added to the allowlist, it will be automatically approved for future agent invocations, bypassing the required human review.

Remediation

Users are advised to configure an auth_token for the approval endpoints to prevent unauthorized modifications. Alternatively, allowlist additions can be restricted to known safe tools.