Skip to content

PraisonAI: PRAISONAI_CALL_AUTH=disabled environment variable unconditionally disables authentication

High severity GitHub Reviewed Published Jun 17, 2026 in MervinPraison/PraisonAI • Updated Jun 18, 2026

Package

pip praisonai (pip)

Affected versions

< 4.6.61

Patched versions

4.6.61

Description

Summary

Setting PRAISONAI_CALL_AUTH=disabled completely disables all authentication on the /api/v1/agents/{id}/invoke endpoint. This bypass is advertised in the application's own error messages, making it likely to appear in production Docker and Compose configurations.

Details

# src/praisonai/praisonai/api/agent_invoke.py:32
_CALL_AUTH_DISABLED = os.getenv('PRAISONAI_CALL_AUTH', '').lower() == 'disabled'

async def verify_token(...) -> None:
    if _CALL_AUTH_DISABLED:
        return  # all authentication skipped unconditionally

The application's own error message advertises the bypass:

"Set CALL_SERVER_TOKEN or PRAISONAI_CALL_AUTH=disabled to run without authentication."

This causes the setting to appear in Docker/Compose configurations as a convenience option.

Proof of Concept

import os
os.environ["PRAISONAI_CALL_AUTH"] = "disabled"
# verify_token() now returns immediately for any request
# POST /api/v1/agents/any-agent/invoke → 200 OK (no token needed)

Common vulnerable deployment:

# docker-compose.yml
environment:
  - PRAISONAI_CALL_AUTH=disabled  # auth completely disabled

Impact

Full unauthenticated access to the agent invocation API. Any agent registered on the server can be triggered without credentials, potentially executing arbitrary actions depending on the agent's configured tools.

References

@MervinPraison MervinPraison published to MervinPraison/PraisonAI Jun 17, 2026
Published to the GitHub Advisory Database Jun 18, 2026
Reviewed Jun 18, 2026
Last updated Jun 18, 2026

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS score

Weaknesses

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-8ccj-p46r-jwqq

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.