Summary
Setting PRAISONAI_CALL_AUTH=disabled completely disables all authentication on the /api/v1/agents/{id}/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.
Details
# src/praisonai/praisonai/api/agent_invoke.py:32
_CALL_AUTH_DISABLED = os.getenv('PRAISONAI_CALL_AUTH', '').lower() == 'disabled'
async def verify_token(...) -> None:
if _CALL_AUTH_DISABLED:
return # all authentication skipped unconditionally
The application's own error message advertises the bypass:
"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication."
This causes the setting to appear in Docker/Compose configurations as a convenience option.
Proof of Concept
import os
os.environ["PRAISONAI_CALL_AUTH"] = "disabled"
# verify_token() now returns immediately for any request
# POST /api/v1/agents/any-agent/invoke → 200 OK (no token needed)
Common vulnerable deployment:
# docker-compose.yml
environment:
- PRAISONAI_CALL_AUTH=disabled # auth completely disabled
Impact
Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.
References
Summary
Setting
PRAISONAI_CALL_AUTH=disabledcompletely disables all authentication on the/api/v1/agents/{id}/invokeendpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.Details
The application's own error message advertises the bypass:
This causes the setting to appear in Docker/Compose configurations as a convenience option.
Proof of Concept
Common vulnerable deployment:
Impact
Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.
References