Summary
The AgentOS server in the praisonai TypeScript/npm package ships an insecure default: it binds 0.0.0.0, sets no API key, and uses CORS * with credentials. The API-key middleware is only registered when an API key is configured, so the documented quickstart (new AgentOS({agents:[...]}).serve({port})) exposes, unauthenticated, GET /api/agents (which leaks agent names/roles/instructions, i.e. system prompts) and POST /api/chat (which invokes agents). Any network peer can read agent system prompts and drive the agent. Runtime-confirmed; severity High.
Details
Affected component
- Package:
praisonai (npm / TypeScript). Files src/praisonai-ts/src/os/config.ts and src/praisonai-ts/src/os/agentos.ts (AgentOS).
Vulnerable code / root cause
Path:
src/praisonai-ts/src/os/config.ts
Class/const:
DEFAULT_AGENTOS_CONFIG / mergeConfig
Snippet:
export const DEFAULT_AGENTOS_CONFIG = {
host: '0.0.0.0',
corsOrigins: ['*'],
apiKey: '',
// ...
};
// mergeConfig: apiKey = userConfig?.apiKey ?? process.env.PRAISONAI_AGENTOS_API_KEY ?? '';
Issue: defaults bind all interfaces, with an empty API key and wildcard CORS. apiKey stays empty unless the developer explicitly sets it.
Path:
src/praisonai-ts/src/os/agentos.ts
Function:
serve / _registerRoutes (Express app)
Snippet:
if (this.config.apiKey) { // auth middleware ONLY added when apiKey is set
app.use((req,res,next) => { /* 401 unless Bearer/x-auth-token matches */ });
}
// routes:
app.get(`${apiPrefix}/agents`, ...) // returns name/role/instructions
app.post(`${apiPrefix}/chat`, ...) // calls agent.chat(message)
Issue: the only auth gate is conditional on a non-empty apiKey. With the default empty key, no auth middleware is registered, and GET /api/agents (system-prompt disclosure) and POST /api/chat (agent invocation) are served to any network client. CORS sets Access-Control-Allow-Credentials: true with a wildcard origin.
Attack flow
- Developer deploys AgentOS via the quickstart without setting
apiKey/PRAISONAI_AGENTOS_API_KEY.
- Any network peer calls
GET /api/agents → receives agent instructions/system prompts.
- Any network peer calls
POST /api/chat → invokes the agent.
Why existing protection is bypassed
There is no protection in the default config — the auth gate is skipped when apiKey is empty (the default), and the server binds all interfaces.
Security boundary
Unauthenticated network access to agent metadata + invocation. This is the CVE-2026-44338 anti-pattern recurring in the TS package, and worse (0.0.0.0 is the default).
Proof of Concept
Environment
Real AgentOS from src/praisonai-ts run via ts-node in a node container with default config (stub agent, no LLM needed). 127.0.0.1:18000. Runnable assets: PraisonAI-Runtime-Repro\runtime-files\ (docker-compose.agentos.yml).
Steps to reproduce
PRAI-01-01-AgentOS-Agents-NoAuth: GET /api/agents (no Authorization) → 127.0.0.1:18000.
PRAI-01-02-AgentOS-Chat-NoAuth: POST /api/chat {"message":"hello from attacker"} (no Authorization).
Expected result
Non-loopback exposure should require authentication; agent instructions should not be disclosed unauthenticated.
Actual result
GET /api/agents → 200, leaks "instructions":"SYSTEM PROMPT SECRET ... PRAISONAI_INTERNAL_SECRET_CANARY_7f3a91"; response header Access-Control-Allow-Credentials: true.
POST /api/chat → 200, agent invoked ("response":"...PRAISONAI_AGENTOS_CANARY_7f3a91...").
Screenshots
Unauthenticated /api/agents leaks agent instructions
A GET request to /api/agents succeeds without an Authorization header. The response exposes agent metadata and instructions, including the canary system-prompt value.
Unauthenticated /api/chat invokes the agent
A POST request to /api/chat succeeds without an Authorization header. The response confirms that the attacker-controlled message was processed by the configured agent.
Reproduction assets
The attached archive contains the local Docker runtime used to reproduce the issue with controlled canary values only. It does not contain real secrets, third-party API keys, or production credentials.
PraisonAI-Runtime-Repro.zip
Impact
Unauthenticated disclosure of agent configuration/system prompts; unauthenticated agent invocation; LLM cost abuse; possible tool abuse depending on the configured agent's tools; permissive CORS-with-credentials.
Suggested remediation
- Default
host to 127.0.0.1; require apiKey (fail closed) when binding non-loopback.
- Do not default
corsOrigins to ['*'], especially with Access-Control-Allow-Credentials: true.
- Do not return full
instructions on an unauthenticated endpoint.
Summary
The AgentOS server in the
praisonaiTypeScript/npm package ships an insecure default: it binds0.0.0.0, sets no API key, and uses CORS*with credentials. The API-key middleware is only registered when an API key is configured, so the documented quickstart (new AgentOS({agents:[...]}).serve({port})) exposes, unauthenticated,GET /api/agents(which leaks agent names/roles/instructions, i.e. system prompts) andPOST /api/chat(which invokes agents). Any network peer can read agent system prompts and drive the agent. Runtime-confirmed; severity High.Details
Affected component
praisonai(npm / TypeScript). Filessrc/praisonai-ts/src/os/config.tsandsrc/praisonai-ts/src/os/agentos.ts(AgentOS).Vulnerable code / root cause
Path:
src/praisonai-ts/src/os/config.tsClass/const:
DEFAULT_AGENTOS_CONFIG/mergeConfigSnippet:
Issue: defaults bind all interfaces, with an empty API key and wildcard CORS.
apiKeystays empty unless the developer explicitly sets it.Path:
src/praisonai-ts/src/os/agentos.tsFunction:
serve/_registerRoutes(Express app)Snippet:
Issue: the only auth gate is conditional on a non-empty
apiKey. With the default empty key, no auth middleware is registered, andGET /api/agents(system-prompt disclosure) andPOST /api/chat(agent invocation) are served to any network client. CORS setsAccess-Control-Allow-Credentials: truewith a wildcard origin.Attack flow
apiKey/PRAISONAI_AGENTOS_API_KEY.GET /api/agents→ receives agent instructions/system prompts.POST /api/chat→ invokes the agent.Why existing protection is bypassed
There is no protection in the default config — the auth gate is skipped when
apiKeyis empty (the default), and the server binds all interfaces.Security boundary
Unauthenticated network access to agent metadata + invocation. This is the CVE-2026-44338 anti-pattern recurring in the TS package, and worse (0.0.0.0 is the default).
Proof of Concept
Environment
Real AgentOS from
src/praisonai-tsrun via ts-node in a node container with default config (stub agent, no LLM needed).127.0.0.1:18000. Runnable assets:PraisonAI-Runtime-Repro\runtime-files\(docker-compose.agentos.yml).Steps to reproduce
PRAI-01-01-AgentOS-Agents-NoAuth:GET /api/agents(no Authorization) →127.0.0.1:18000.PRAI-01-02-AgentOS-Chat-NoAuth:POST /api/chat {"message":"hello from attacker"}(no Authorization).Expected result
Non-loopback exposure should require authentication; agent instructions should not be disclosed unauthenticated.
Actual result
GET /api/agents→200, leaks"instructions":"SYSTEM PROMPT SECRET ... PRAISONAI_INTERNAL_SECRET_CANARY_7f3a91"; response headerAccess-Control-Allow-Credentials: true.POST /api/chat→200, agent invoked ("response":"...PRAISONAI_AGENTOS_CANARY_7f3a91...").Screenshots
Unauthenticated
/api/agentsleaks agent instructionsA GET request to
/api/agentssucceeds without anAuthorizationheader. The response exposes agent metadata and instructions, including the canary system-prompt value.Unauthenticated
/api/chatinvokes the agentA POST request to
/api/chatsucceeds without anAuthorizationheader. The response confirms that the attacker-controlled message was processed by the configured agent.Reproduction assets
The attached archive contains the local Docker runtime used to reproduce the issue with controlled canary values only. It does not contain real secrets, third-party API keys, or production credentials.
PraisonAI-Runtime-Repro.zip
Impact
Unauthenticated disclosure of agent configuration/system prompts; unauthenticated agent invocation; LLM cost abuse; possible tool abuse depending on the configured agent's tools; permissive CORS-with-credentials.
Suggested remediation
hostto127.0.0.1; requireapiKey(fail closed) when binding non-loopback.corsOriginsto['*'], especially withAccess-Control-Allow-Credentials: true.instructionson an unauthenticated endpoint.