Common Weakness Enumeration

CWE-287

Discouraged

Improper Authentication

Abstraction: Class · Status: Draft

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

5947 vulnerabilities reference this CWE, most recent first.

GHSA-5Q8Q-FJ6W-J33V

Vulnerability from github – Published: 2022-08-20 00:00 – Updated: 2026-07-05 03:30
VLAI
Details

Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-35167"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-732"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-08-19T02:15:00Z",
    "severity": "HIGH"
  },
  "details": "Printix Cloud Print Management v1.3.1149.0 for Windows was discovered to contain insecure permissions.",
  "id": "GHSA-5q8q-fj6w-j33v",
  "modified": "2026-07-05T03:30:49Z",
  "published": "2022-08-20T00:00:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-35167"
    },
    {
      "type": "WEB",
      "url": "https://www.pentagrid.ch/en/blog/vulnerabilities-in-printix-cloud-print-management"
    },
    {
      "type": "WEB",
      "url": "http://printix.com"
    },
    {
      "type": "WEB",
      "url": "http://printixnet.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QGX-Q55Q-4JM7

Vulnerability from github – Published: 2022-05-24 17:10 – Updated: 2022-05-24 17:10
VLAI
Details

An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn't perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2020-9544"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2020-03-05T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered on D-Link DSL-2640B E1 EU_1.01 devices. The administrative interface doesn\u0027t perform authentication checks for a firmware-update POST request. Any attacker that can access the administrative interface can install firmware of their choice.",
  "id": "GHSA-5qgx-q55q-4jm7",
  "modified": "2022-05-24T17:10:18Z",
  "published": "2022-05-24T17:10:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-9544"
    },
    {
      "type": "WEB",
      "url": "https://ktln2.org/2020/03/05/cve-2020-9544"
    },
    {
      "type": "WEB",
      "url": "https://www.dlink.com/en/security-bulletin"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5QJ4-9P84-827G

Vulnerability from github – Published: 2022-05-17 01:17 – Updated: 2025-04-20 03:34
VLAI
Details

Authentication bypass by spoofing vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to execute arbitrary code or cause a denial of service via a crafted authentication cookie.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-8022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-03-14T22:59:00Z",
    "severity": "HIGH"
  },
  "details": "Authentication bypass by spoofing vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to execute arbitrary code or cause a denial of service via a crafted authentication cookie.",
  "id": "GHSA-5qj4-9p84-827g",
  "modified": "2025-04-20T03:34:05Z",
  "published": "2022-05-17T01:17:42Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-8022"
    },
    {
      "type": "WEB",
      "url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10181"
    },
    {
      "type": "WEB",
      "url": "https://www.exploit-db.com/exploits/40911"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/94823"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1037433"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5QMQ-WQF9-CHPC

Vulnerability from github – Published: 2022-05-02 03:31 – Updated: 2022-05-02 03:31
VLAI
Details

Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site's context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2009-2063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-06-15T19:30:00Z",
    "severity": "MODERATE"
  },
  "details": "Opera, possibly before 9.25, processes a 3xx HTTP CONNECT response before a successful SSL handshake, which allows man-in-the-middle attackers to execute arbitrary web script, in an https site\u0027s context, by modifying this CONNECT response to specify a 302 redirect to an arbitrary https web site.",
  "id": "GHSA-5qmq-wqf9-chpc",
  "modified": "2022-05-02T03:31:16Z",
  "published": "2022-05-02T03:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-2063"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/51204"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/apps/pubs/default.aspx?id=79323"
    },
    {
      "type": "WEB",
      "url": "http://research.microsoft.com/pubs/79323/pbp-final-with-update.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/35412"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5QW8-F2G9-FF29

Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52
VLAI
Summary
PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard
Details

PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard

Summary

PraisonAI's installed console entrypoint is Typer-first. In current releases, the recipe command is registered in the Typer app and praisonai recipe serve dispatches to the deprecated Typer command in src/praisonai/praisonai/cli/commands/recipe.py.

That Typer command can start the Recipe HTTP server on a non-localhost interface with no authentication:

praisonai recipe serve --host 0.0.0.0 --admin

It prints a deprecation warning, then launches the server with:

{
  "host": "0.0.0.0",
  "config": {
    "cors_origins": "*",
    "enable_admin": true
  }
}

Because config.auth is absent, create_app() does not attach the API-key or JWT middleware. Unauthenticated requests can then reach the recipe API and, when enabled, /admin/reload.

This is an incomplete hardening / sibling-callsite issue. The legacy feature handler in src/praisonai/praisonai/cli/features/recipe.py rejects the same non-localhost/no-auth combination, and current create_auth_middleware() now fails closed if API-key/JWT auth is selected without a secret. The installed Typer command bypasses both expectations by never requiring or setting auth.

Affected product

  • Repository: MervinPraison/PraisonAI
  • Package: praisonai
  • Component:
  • src/praisonai/praisonai/__main__.py
  • src/praisonai/praisonai/cli/app.py
  • src/praisonai/praisonai/cli/commands/recipe.py
  • src/praisonai/praisonai/cli/features/recipe.py
  • src/praisonai/praisonai/recipe/serve.py

Confirmed affected:

v4.6.58  1ad58ca02975ff1398efeda694ea2ab78f20cf3e
v4.6.57  e90d92231853161ad931f3498da57651a9f8b528
v4.6.56  d3c4a2afadfbf3a3e172e460e607ba4efad263a6
v4.6.34  e5928449f73f66cc8af1de61621aa974ab255133
v4.6.33  dfbb8d78ec7e8dc7118bc722ab1b2524bc98ddab
v4.6.10  4b1b17b963cbd0625e41394a30168c95b26429b2
v4.5.128 b4e3a8a84ade44ac3dd9102b792cdb4311a95937
v4.5.112 bfe3d94bad6db92fc2927c2e3c081ae8303e209e

Suggested affected range: praisonai >= 4.5.112, <= 4.6.58.

The lower bound is conservative and based on sampled tags. Maintainers should confirm the exact introduction point before publishing a final range.

Root cause

The installed entrypoint routes registered Typer commands before falling back to the legacy dispatcher:

if first_cmd in _get_typer_commands():
    _run_typer(argv)
else:
    _run_legacy(argv)

cli/app.py registers commands.recipe as the recipe Typer command:

from .commands.recipe import app as recipe_app
...
app.add_typer(recipe_app, name="recipe", help="Recipe management")

The deprecated Typer recipe serve implementation accepts a remote host, defaults CORS to *, and only enables authentication when --api-key is explicitly provided:

host: str = typer.Option("127.0.0.1", "--host", "-h", ...)
api_key: str = typer.Option(None, "--api-key", ...)
cors: str = typer.Option("*", "--cors", ...)
admin: bool = typer.Option(False, "--admin", ...)
...
serve_config = {}
...
if api_key:
    serve_config["api_key"] = api_key
    serve_config["auth"] = "api-key"
if cors:
    serve_config["cors_origins"] = cors
if admin:
    serve_config["enable_admin"] = True
...
serve(host=host, port=port, reload=reload, config=serve_config, workers=workers)

There is no equivalent to the hardened non-localhost guard in the legacy feature handler:

if host != "127.0.0.1" and host != "localhost" and auth == "none":
    self._print_error("Auth required for non-localhost binding. Use --auth api-key or --auth jwt")
    return self.EXIT_POLICY_DENIED

The Recipe server only installs auth middleware when config["auth"] is set:

auth_type = config.get("auth")
if auth_type and auth_type != "none":
    auth_middleware = create_auth_middleware(...)
    if auth_middleware:
        middleware.append(Middleware(auth_middleware))

On current v4.6.58, the selected-auth paths fail closed correctly:

  • auth=api-key with no key returns 503.
  • auth=api-key with a key but no request header returns 401.

The vulnerable Typer path does not select auth at all.

Local-only PoV

Run from the harness checkout:

uv run \
  --with starlette --with httpx --with typer --with rich --with pyyaml \
  --with sse-starlette --with click --with python-dotenv \
  python submission-bundle/praisonai-prai-cand-016-recipe-serve-typer-auth-bypass/poc/pov_prai_cand_016_recipe_serve_typer_auth_bypass.py \
  --repo artifacts/repos/praisonai-v4.6.58 \
  --label v4.6.58

The PoV does not bind a socket. It monkey-patches the recipe server launcher, invokes the real praisonai.__main__.main() entrypoint with recipe serve --host 0.0.0.0 --admin, captures the launch config, and then uses Starlette's in-process test client to exercise the resulting app.

Observed v4.6.58 result:

{
  "candidate": "PRAI-CAND-016",
  "entrypoint_exit_code": 0,
  "typer_recipe_command_registered": true,
  "captured_launch": {
    "host": "0.0.0.0",
    "port": 8765,
    "config": {
      "cors_origins": "*",
      "enable_admin": true
    }
  },
  "bypass": {
    "admin_reload": {
      "path": "/admin/reload",
      "status": 200
    },
    "openapi": {
      "path": "/openapi.json",
      "status": 200
    }
  },
  "controls": {
    "auth_api_key_no_secret": {
      "admin_reload": {
        "status": 503
      }
    },
    "auth_api_key_no_header": {
      "admin_reload": {
        "status": 401
      }
    }
  },
  "feature_handler_nonlocalhost_noauth_exit": 4,
  "auth_fail_closed_current_control": true,
  "ok": true
}

Stored evidence:

  • evidence/current-v4.6.58.json
  • evidence/version-sweep.tsv

Why this is not intended behavior

This is not only a disagreement about whether operators should configure auth.

PraisonAI's current security documentation says recent hardening changed API servers so anonymous requests return 401 and servers bind to 127.0.0.1 by default. Recipe server docs say auth: api-key should be used for production, admin endpoints require auth, and public servers should not run without authentication.

The implementation also shows the intended boundary:

  • create_auth_middleware() now returns 503 if API-key/JWT auth is selected without a secret.
  • RecipeHandler.cmd_serve() refuses non-localhost binding when auth is none.
  • The vulnerable Typer command is marked deprecated and tells users to use the newer command, but the installed entrypoint still routes praisonai recipe to that Typer command before the legacy handler can enforce the guard.

The official local HTTP sidecar docs describe the sidecar as communicating over localhost and "no external network required", but the Docker example still uses:

CMD ["praisonai", "recipe", "serve", "--host", "0.0.0.0", "--port", "8765"]

That command exposes the Typer path above and does not enable auth, even if PRAISONAI_API_KEY is present in the environment, because this path only sets auth when --api-key is passed or a config file sets auth.

Impact

If an operator follows the vulnerable command path on a reachable interface, any network caller that can reach the Recipe HTTP server can access recipe runner endpoints without credentials.

Affected endpoints include:

  • GET /v1/recipes
  • POST /v1/recipes/run
  • POST /v1/recipes/stream
  • POST /v1/recipes/validate
  • optional POST /admin/reload when admin endpoints are enabled

The exact impact depends on configured recipes and deployment context. At a minimum, an attacker can enumerate recipes and trigger recipe validation or execution flows intended for local or authenticated callers. In deployments with powerful recipes, tool-enabled recipes, or admin endpoints, this can cause unauthorized workflow execution, model/API spend, state changes, or recipe registry reload operations.

This report does not claim arbitrary code execution by default.

Suggested fix

Prefer one canonical Recipe server CLI path and enforce the same preflight for every wrapper.

Recommended changes:

  1. Remove or hard-disable the deprecated Typer praisonai recipe serve command, or make it delegate to the hardened RecipeHandler.cmd_serve() code path.
  2. Add the same non-localhost/no-auth guard to cli/commands/recipe.py.
  3. Treat PRAISONAI_API_KEY as a secret only when auth=api-key is selected; do not rely on the env var's presence alone unless the command also enables auth explicitly.
  4. Fix the deprecated command's help examples so remote binding always includes auth.
  5. Consider changing --cors default from * to no CORS or localhost origins.
  6. Add regression tests that invoke the installed praisonai.__main__.main() entrypoint, not only the legacy feature handler:
  7. praisonai recipe serve --host 0.0.0.0 fails before launch unless auth is selected and configured;
  8. praisonai recipe serve --host 0.0.0.0 --admin cannot expose /admin/reload without auth;
  9. selected but misconfigured auth still returns 503;
  10. configured auth with no header returns 401.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.58"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonai"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.5.112"
            },
            {
              "fixed": "4.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-306",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:52:44Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "# PraisonAI `recipe serve` Typer command bypasses the non-localhost authentication guard\n\n## Summary\n\nPraisonAI\u0027s installed console entrypoint is Typer-first. In current releases,\nthe `recipe` command is registered in the Typer app and\n`praisonai recipe serve` dispatches to the deprecated Typer command in\n`src/praisonai/praisonai/cli/commands/recipe.py`.\n\nThat Typer command can start the Recipe HTTP server on a non-localhost\ninterface with no authentication:\n\n```text\npraisonai recipe serve --host 0.0.0.0 --admin\n```\n\nIt prints a deprecation warning, then launches the server with:\n\n```json\n{\n  \"host\": \"0.0.0.0\",\n  \"config\": {\n    \"cors_origins\": \"*\",\n    \"enable_admin\": true\n  }\n}\n```\n\nBecause `config.auth` is absent, `create_app()` does not attach the API-key or\nJWT middleware. Unauthenticated requests can then reach the recipe API and, when\nenabled, `/admin/reload`.\n\nThis is an incomplete hardening / sibling-callsite issue. The legacy feature\nhandler in `src/praisonai/praisonai/cli/features/recipe.py` rejects the same\nnon-localhost/no-auth combination, and current `create_auth_middleware()` now\nfails closed if API-key/JWT auth is selected without a secret. The installed\nTyper command bypasses both expectations by never requiring or setting `auth`.\n\n## Affected product\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `praisonai`\n- Component:\n  - `src/praisonai/praisonai/__main__.py`\n  - `src/praisonai/praisonai/cli/app.py`\n  - `src/praisonai/praisonai/cli/commands/recipe.py`\n  - `src/praisonai/praisonai/cli/features/recipe.py`\n  - `src/praisonai/praisonai/recipe/serve.py`\n\nConfirmed affected:\n\n```text\nv4.6.58  1ad58ca02975ff1398efeda694ea2ab78f20cf3e\nv4.6.57  e90d92231853161ad931f3498da57651a9f8b528\nv4.6.56  d3c4a2afadfbf3a3e172e460e607ba4efad263a6\nv4.6.34  e5928449f73f66cc8af1de61621aa974ab255133\nv4.6.33  dfbb8d78ec7e8dc7118bc722ab1b2524bc98ddab\nv4.6.10  4b1b17b963cbd0625e41394a30168c95b26429b2\nv4.5.128 b4e3a8a84ade44ac3dd9102b792cdb4311a95937\nv4.5.112 bfe3d94bad6db92fc2927c2e3c081ae8303e209e\n```\n\nSuggested affected range: `praisonai \u003e= 4.5.112, \u003c= 4.6.58`.\n\nThe lower bound is conservative and based on sampled tags. Maintainers should\nconfirm the exact introduction point before publishing a final range.\n\n## Root cause\n\nThe installed entrypoint routes registered Typer commands before falling back\nto the legacy dispatcher:\n\n```python\nif first_cmd in _get_typer_commands():\n    _run_typer(argv)\nelse:\n    _run_legacy(argv)\n```\n\n`cli/app.py` registers `commands.recipe` as the `recipe` Typer command:\n\n```python\nfrom .commands.recipe import app as recipe_app\n...\napp.add_typer(recipe_app, name=\"recipe\", help=\"Recipe management\")\n```\n\nThe deprecated Typer `recipe serve` implementation accepts a remote host,\ndefaults CORS to `*`, and only enables authentication when `--api-key` is\nexplicitly provided:\n\n```python\nhost: str = typer.Option(\"127.0.0.1\", \"--host\", \"-h\", ...)\napi_key: str = typer.Option(None, \"--api-key\", ...)\ncors: str = typer.Option(\"*\", \"--cors\", ...)\nadmin: bool = typer.Option(False, \"--admin\", ...)\n...\nserve_config = {}\n...\nif api_key:\n    serve_config[\"api_key\"] = api_key\n    serve_config[\"auth\"] = \"api-key\"\nif cors:\n    serve_config[\"cors_origins\"] = cors\nif admin:\n    serve_config[\"enable_admin\"] = True\n...\nserve(host=host, port=port, reload=reload, config=serve_config, workers=workers)\n```\n\nThere is no equivalent to the hardened non-localhost guard in the legacy\nfeature handler:\n\n```python\nif host != \"127.0.0.1\" and host != \"localhost\" and auth == \"none\":\n    self._print_error(\"Auth required for non-localhost binding. Use --auth api-key or --auth jwt\")\n    return self.EXIT_POLICY_DENIED\n```\n\nThe Recipe server only installs auth middleware when `config[\"auth\"]` is set:\n\n```python\nauth_type = config.get(\"auth\")\nif auth_type and auth_type != \"none\":\n    auth_middleware = create_auth_middleware(...)\n    if auth_middleware:\n        middleware.append(Middleware(auth_middleware))\n```\n\nOn current `v4.6.58`, the selected-auth paths fail closed correctly:\n\n- `auth=api-key` with no key returns `503`.\n- `auth=api-key` with a key but no request header returns `401`.\n\nThe vulnerable Typer path does not select auth at all.\n\n## Local-only PoV\n\nRun from the harness checkout:\n\n```bash\nuv run \\\n  --with starlette --with httpx --with typer --with rich --with pyyaml \\\n  --with sse-starlette --with click --with python-dotenv \\\n  python submission-bundle/praisonai-prai-cand-016-recipe-serve-typer-auth-bypass/poc/pov_prai_cand_016_recipe_serve_typer_auth_bypass.py \\\n  --repo artifacts/repos/praisonai-v4.6.58 \\\n  --label v4.6.58\n```\n\nThe PoV does not bind a socket. It monkey-patches the recipe server launcher,\ninvokes the real `praisonai.__main__.main()` entrypoint with\n`recipe serve --host 0.0.0.0 --admin`, captures the launch config, and then\nuses Starlette\u0027s in-process test client to exercise the resulting app.\n\nObserved `v4.6.58` result:\n\n```json\n{\n  \"candidate\": \"PRAI-CAND-016\",\n  \"entrypoint_exit_code\": 0,\n  \"typer_recipe_command_registered\": true,\n  \"captured_launch\": {\n    \"host\": \"0.0.0.0\",\n    \"port\": 8765,\n    \"config\": {\n      \"cors_origins\": \"*\",\n      \"enable_admin\": true\n    }\n  },\n  \"bypass\": {\n    \"admin_reload\": {\n      \"path\": \"/admin/reload\",\n      \"status\": 200\n    },\n    \"openapi\": {\n      \"path\": \"/openapi.json\",\n      \"status\": 200\n    }\n  },\n  \"controls\": {\n    \"auth_api_key_no_secret\": {\n      \"admin_reload\": {\n        \"status\": 503\n      }\n    },\n    \"auth_api_key_no_header\": {\n      \"admin_reload\": {\n        \"status\": 401\n      }\n    }\n  },\n  \"feature_handler_nonlocalhost_noauth_exit\": 4,\n  \"auth_fail_closed_current_control\": true,\n  \"ok\": true\n}\n```\n\nStored evidence:\n\n- `evidence/current-v4.6.58.json`\n- `evidence/version-sweep.tsv`\n\n## Why this is not intended behavior\n\nThis is not only a disagreement about whether operators should configure auth.\n\nPraisonAI\u0027s current security documentation says recent hardening changed API\nservers so anonymous requests return `401` and servers bind to `127.0.0.1` by\ndefault. Recipe server docs say `auth: api-key` should be used for production,\nadmin endpoints require auth, and public servers should not run without\nauthentication.\n\nThe implementation also shows the intended boundary:\n\n- `create_auth_middleware()` now returns `503` if API-key/JWT auth is selected\n  without a secret.\n- `RecipeHandler.cmd_serve()` refuses non-localhost binding when `auth` is\n  `none`.\n- The vulnerable Typer command is marked deprecated and tells users to use the\n  newer command, but the installed entrypoint still routes `praisonai recipe`\n  to that Typer command before the legacy handler can enforce the guard.\n\nThe official local HTTP sidecar docs describe the sidecar as communicating over\nlocalhost and \"no external network required\", but the Docker example still uses:\n\n```text\nCMD [\"praisonai\", \"recipe\", \"serve\", \"--host\", \"0.0.0.0\", \"--port\", \"8765\"]\n```\n\nThat command exposes the Typer path above and does not enable auth, even if\n`PRAISONAI_API_KEY` is present in the environment, because this path only sets\n`auth` when `--api-key` is passed or a config file sets `auth`.\n\n## Impact\n\nIf an operator follows the vulnerable command path on a reachable interface,\nany network caller that can reach the Recipe HTTP server can access recipe\nrunner endpoints without credentials.\n\nAffected endpoints include:\n\n- `GET /v1/recipes`\n- `POST /v1/recipes/run`\n- `POST /v1/recipes/stream`\n- `POST /v1/recipes/validate`\n- optional `POST /admin/reload` when admin endpoints are enabled\n\nThe exact impact depends on configured recipes and deployment context. At a\nminimum, an attacker can enumerate recipes and trigger recipe validation or\nexecution flows intended for local or authenticated callers. In deployments\nwith powerful recipes, tool-enabled recipes, or admin endpoints, this can cause\nunauthorized workflow execution, model/API spend, state changes, or recipe\nregistry reload operations.\n\nThis report does not claim arbitrary code execution by default.\n\n## Suggested fix\n\nPrefer one canonical Recipe server CLI path and enforce the same preflight for\nevery wrapper.\n\nRecommended changes:\n\n1. Remove or hard-disable the deprecated Typer `praisonai recipe serve` command,\n   or make it delegate to the hardened `RecipeHandler.cmd_serve()` code path.\n2. Add the same non-localhost/no-auth guard to `cli/commands/recipe.py`.\n3. Treat `PRAISONAI_API_KEY` as a secret only when `auth=api-key` is selected;\n   do not rely on the env var\u0027s presence alone unless the command also enables\n   auth explicitly.\n4. Fix the deprecated command\u0027s help examples so remote binding always includes\n   auth.\n5. Consider changing `--cors` default from `*` to no CORS or localhost origins.\n6. Add regression tests that invoke the installed `praisonai.__main__.main()`\n   entrypoint, not only the legacy feature handler:\n   - `praisonai recipe serve --host 0.0.0.0` fails before launch unless auth is\n     selected and configured;\n   - `praisonai recipe serve --host 0.0.0.0 --admin` cannot expose\n     `/admin/reload` without auth;\n   - selected but misconfigured auth still returns `503`;\n   - configured auth with no header returns `401`.",
  "id": "GHSA-5qw8-f2g9-ff29",
  "modified": "2026-06-18T13:52:44Z",
  "published": "2026-06-18T13:52:44Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-5qw8-f2g9-ff29"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard"
}

GHSA-5QWH-5J36-WH9W

Vulnerability from github – Published: 2024-10-10 12:31 – Updated: 2024-10-10 12:31
VLAI
Details

Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-45115"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-10-10T10:15:03Z",
    "severity": "CRITICAL"
  },
  "details": "Adobe Commerce versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10 and earlier are affected by an Improper Authentication vulnerability that could result in privilege escalation. An attacker could exploit this vulnerability to gain unauthorized access or elevated privileges within the application. Exploitation of this issue does not require user interaction.",
  "id": "GHSA-5qwh-5j36-wh9w",
  "modified": "2024-10-10T12:31:12Z",
  "published": "2024-10-10T12:31:12Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45115"
    },
    {
      "type": "WEB",
      "url": "https://helpx.adobe.com/security/products/magento/apsb24-73.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R22-JH36-PJ45

Vulnerability from github – Published: 2022-05-01 18:29 – Updated: 2022-05-01 18:29
VLAI
Details

Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain "access to Geronimo internals" via unspecified vectors.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2007-5085"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2007-09-26T10:17:00Z",
    "severity": "MODERATE"
  },
  "details": "Unspecified vulnerability in the management EJB (MEJB) in Apache Geronimo before 2.0.2 allows remote attackers to bypass authentication and obtain \"access to Geronimo internals\" via unspecified vectors.",
  "id": "GHSA-5r22-jh36-pj45",
  "modified": "2022-05-01T18:29:51Z",
  "published": "2022-05-01T18:29:51Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5085"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/GERONIMO-3456"
    },
    {
      "type": "WEB",
      "url": "http://geronimo.apache.org/2007/09/07/mejb-security-alert.html"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/38661"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/26906"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/27464"
    },
    {
      "type": "WEB",
      "url": "http://www-1.ibm.com/support/docview.wss?uid=swg21271586"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/25804"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1018877"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-5R3C-CQ8H-C6GX

Vulnerability from github – Published: 2023-07-06 19:24 – Updated: 2026-04-08 21:31
VLAI
Details

The Profile Builder – User Profile & User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2297"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287",
      "CWE-620"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-04-27T00:15:08Z",
    "severity": "HIGH"
  },
  "details": "The Profile Builder \u2013 User Profile \u0026 User Registration Forms plugin for WordPress is vulnerable to unauthorized password resets  in versions up to, and including 3.9.0. This is due to the plugin using native password reset functionality, with insufficient validation on the password reset function (wppb_front_end_password_recovery). The function uses the plaintext value of a password reset key instead of a hashed value which means it can easily be retrieved and subsequently used. An attacker can leverage CVE-2023-0814, or another vulnerability like SQL Injection in another plugin or theme installed on the site to successfully exploit this vulnerability.",
  "id": "GHSA-5r3c-cq8h-c6gx",
  "modified": "2026-04-08T21:31:49Z",
  "published": "2023-07-06T19:24:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2297"
    },
    {
      "type": "WEB",
      "url": "https://lana.codes/lanavdb/512e7307-04a5-4d8b-8f79-f75f37784a9f"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2864329%40profile-builder\u0026new=2864329%40profile-builder\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e731292a-4f95-46eb-889e-b00d58f3444e?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-5R3P-6RJ5-7937

Vulnerability from github – Published: 2026-03-02 17:32 – Updated: 2026-03-02 17:32
VLAI
Summary
Bytebase vulnerable to Improper Authentication
Details

Impact

  • GitLab login allows login by any user.
  • JWT auth token can be derived as long as the server isn't rebooted.
  • Developers can assign issues to non-admin/DBA users.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.0.0"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/bytebase/bytebase"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-02T17:32:24Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n- GitLab login allows login by any user.\n- JWT auth token can be derived as long as the server isn\u0027t rebooted.\n- Developers can assign issues to non-admin/DBA users.",
  "id": "GHSA-5r3p-6rj5-7937",
  "modified": "2026-03-02T17:32:24Z",
  "published": "2026-03-02T17:32:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/bytebase/bytebase/security/advisories/GHSA-5r3p-6rj5-7937"
    },
    {
      "type": "WEB",
      "url": "https://github.com/bytebase/bytebase/commit/a578ed58e478ba5c2dadf8d538ec5c3d39c28461"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/bytebase/bytebase"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Bytebase vulnerable to Improper Authentication"
}

GHSA-5R65-89WP-6MXR

Vulnerability from github – Published: 2026-01-06 18:31 – Updated: 2026-01-12 18:30
VLAI
Details

wolfSSH’s key exchange state machine can be manipulated to leak the client’s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it’s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren’t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-14942"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-06T18:15:42Z",
    "severity": "CRITICAL"
  },
  "details": "wolfSSH\u2019s key exchange state machine can be manipulated to leak the client\u2019s password in the clear, trick the client to send a bogus signature, or trick the client into skipping user authentication. This affects client applications with wolfSSH version 1.4.21 and earlier. Users of wolfSSH must update or apply the fix patch and it\u2019s recommended to update credentials used. This fix is also recommended for wolfSSH server applications. While there aren\u2019t any specific attacks on server applications, the same defect is present. Thanks to Aina Toky Rasoamanana of Valeo and Olivier Levillain of Telecom SudParis for the report.",
  "id": "GHSA-5r65-89wp-6mxr",
  "modified": "2026-01-12T18:30:24Z",
  "published": "2026-01-06T18:31:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14942"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wolfSSL/wolfssh/pull/855"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Red",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Strategy: Libraries or Frameworks

Use an authentication framework or library such as the OWASP ESAPI Authentication feature.

CAPEC-114: Authentication Abuse

An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker.

CAPEC-115: Authentication Bypass

An attacker gains access to application, service, or device with the privileges of an authorized or privileged user by evading or circumventing an authentication mechanism. The attacker is therefore able to access protected data without authentication ever having taken place.

CAPEC-151: Identity Spoofing

Identity Spoofing refers to the action of assuming (i.e., taking on) the identity of some other entity (human or non-human) and then using that identity to accomplish a goal. An adversary may craft messages that appear to come from a different principle or use stolen / spoofed authentication credentials.

CAPEC-194: Fake the Source of Data

An adversary takes advantage of improper authentication to provide data or services under a falsified identity. The purpose of using the falsified identity may be to prevent traceability of the provided data or to assume the rights granted to another individual. One of the simplest forms of this attack would be the creation of an email message with a modified "From" field in order to appear that the message was sent from someone other than the actual sender. The root of the attack (in this case the email system) fails to properly authenticate the source and this results in the reader incorrectly performing the instructed action. Results of the attack vary depending on the details of the attack, but common results include privilege escalation, obfuscation of other attacks, and data corruption/manipulation.

CAPEC-22: Exploiting Trust in Client

An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.

CAPEC-57: Utilizing REST's Trust in the System Resource to Obtain Sensitive Data

This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to obtain sensitive data once SSL is terminated.

CAPEC-593: Session Hijacking

This type of attack involves an adversary that exploits weaknesses in an application's use of sessions in performing authentication. The adversary is able to steal or manipulate an active session and use it to gain unathorized access to the application.

CAPEC-633: Token Impersonation

An adversary exploits a weakness in authentication to create an access token (or equivalent) that impersonates a different entity, and then associates a process/thread to that that impersonated token. This action causes a downstream user to make a decision or take action that is based on the assumed identity, and not the response that blocks the adversary.

CAPEC-650: Upload a Web Shell to a Web Server

By exploiting insufficient permissions, it is possible to upload a web shell to a web server in such a way that it can be executed remotely. This shell can have various capabilities, thereby acting as a "gateway" to the underlying web server. The shell might execute at the higher permission level of the web server, providing the ability the execute malicious code at elevated levels.

CAPEC-94: Adversary in the Middle (AiTM)

An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.