PraisonAI Legacy Flask API Unauthenticated Access Vulnerability

A vulnerability exists in PraisonAI versions 2.5.6 prior to 4.6.34, where a legacy Flask API server is included with authentication disabled by default. This allows any caller with network access to the server to access the '/agents' endpoint and trigger workflows defined in 'agents.yaml' through the '/chat' endpoint, without needing an authentication token. The issue arises because the server's authentication checks are bypassed, enabling unauthorized access to sensitive functionalities.

Impact

The vulnerability allows any reachable caller to invoke protected API functionalities without authentication. This includes unauthorized access to agent metadata and the ability to trigger workflows defined in the 'agents.yaml' file, along with any associated side effects or resource consumption. Additionally, the results of these workflows are exposed to the unauthenticated caller.

Reproduction

The vulnerability can be reproduced by deploying the legacy API server with the default settings, which include authentication disabled. Once the server is running, it is possible to access the '/agents' and '/chat' endpoints without an authorization token. The '/agents' endpoint will return agent metadata, while the '/chat' endpoint can be used to trigger workflows defined in 'agents.yaml' without any authentication.

Remediation

Users can upgrade to PraisonAI version 4.6.34 or later, where this vulnerability has been patched.