CWE-863
Allowed-with-ReviewIncorrect Authorization
Abstraction: Class · Status: Incomplete
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
5503 vulnerabilities reference this CWE, most recent first.
GHSA-H279-5FW7-CC3M
Vulnerability from github – Published: 2026-05-14 18:32 – Updated: 2026-05-14 18:32Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Library Automation System: from v.19.5 before v.22.1.
{
"affected": [],
"aliases": [
"CVE-2025-15023"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-14T18:16:34Z",
"severity": "HIGH"
},
"details": "Incorrect Authorization vulnerability in Yordam Information Technology Consulting, Training and Electronic Systems Industry and Trade Inc. Library Automation System allows Exploiting Incorrectly Configured Access Control Security Levels.\n\nThis issue affects Library Automation System: from v.19.5 before v.22.1.",
"id": "GHSA-h279-5fw7-cc3m",
"modified": "2026-05-14T18:32:57Z",
"published": "2026-05-14T18:32:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15023"
},
{
"type": "WEB",
"url": "https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-26-0240"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-H287-XX77-94V5
Vulnerability from github – Published: 2024-09-26 15:30 – Updated: 2024-09-26 15:30Mattermost versions 9.10.x <= 9.10.1, 9.9.x <= 9.9.2, 9.5.x <= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.
{
"affected": [],
"aliases": [
"CVE-2024-9155"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-09-26T15:15:18Z",
"severity": "MODERATE"
},
"details": "Mattermost versions 9.10.x \u003c= 9.10.1, 9.9.x \u003c= 9.9.2, 9.5.x \u003c= 9.5.8 fail to limit access to channels files that have not been linked to a post which allows an attacker to view them in channels that they are a member of.",
"id": "GHSA-h287-xx77-94v5",
"modified": "2024-09-26T15:30:44Z",
"published": "2024-09-26T15:30:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9155"
},
{
"type": "WEB",
"url": "https://mattermost.com/security-updates"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2F2-X9QF-59R2
Vulnerability from github – Published: 2025-10-14 03:30 – Updated: 2025-10-14 03:30SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.
{
"affected": [],
"aliases": [
"CVE-2025-42939"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-14T01:15:33Z",
"severity": "MODERATE"
},
"details": "SAP S/4HANA (Manage Processing Rules - For Bank Statements) allows an authenticated attacker with basic privileges to delete conditions from any shared rule of any user by tampering the request parameter. Due to missing authorization check, the attacker can delete shared rule conditions that should be restricted, compromising the integrity of the application without affecting its confidentiality or availability.",
"id": "GHSA-h2f2-x9qf-59r2",
"modified": "2025-10-14T03:30:57Z",
"published": "2025-10-14T03:30:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-42939"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3625683"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2JV-M23F-7XFH
Vulnerability from github – Published: 2025-01-28 00:32 – Updated: 2025-11-03 21:32A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7.3, macOS Sonoma 14.7.3, macOS Sequoia 15. An app may be able to access contacts.
{
"affected": [],
"aliases": [
"CVE-2024-44172"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-27T22:15:11Z",
"severity": "LOW"
},
"details": "A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Ventura 13.7.3, macOS Sonoma 14.7.3, macOS Sequoia 15. An app may be able to access contacts.",
"id": "GHSA-h2jv-m23f-7xfh",
"modified": "2025-11-03T21:32:24Z",
"published": "2025-01-28T00:32:13Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-44172"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/121238"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122069"
},
{
"type": "WEB",
"url": "https://support.apple.com/en-us/122070"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/16"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2025/Jan/17"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2M9-38G2-XRH9
Vulnerability from github – Published: 2025-03-04 21:30 – Updated: 2025-03-04 21:30A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.
{
"affected": [],
"aliases": [
"CVE-2024-39352"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-28T06:15:06Z",
"severity": "MODERATE"
},
"details": "A vulnerability regarding incorrect authorization is found in the firmware upgrade functionality. This allows remote authenticated users with administrator privileges to bypass firmware integrity check via unspecified vectors. The following models with Synology Camera Firmware versions before 1.0.7-0298 may be affected: BC500 and TC500.",
"id": "GHSA-h2m9-38g2-xrh9",
"modified": "2025-03-04T21:30:53Z",
"published": "2025-03-04T21:30:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39352"
},
{
"type": "WEB",
"url": "https://www.synology.com/en-global/security/advisory/Synology_SA_23_15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2P5-5XGM-H7M9
Vulnerability from github – Published: 2024-02-06 00:30 – Updated: 2026-04-08 21:32The Getwid – Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting 'g-recaptcha-response' from the 'data' array.
{
"affected": [],
"aliases": [
"CVE-2023-6963"
],
"database_specific": {
"cwe_ids": [
"CWE-804",
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-02-05T22:15:57Z",
"severity": "MODERATE"
},
"details": "The Getwid \u2013 Gutenberg Blocks plugin for WordPress is vulnerable to CAPTCHA Bypass in versions up to, and including, 2.0.4. This makes it possible for unauthenticated attackers to bypass the Captcha Verification of the Contact Form block by omitting \u0027g-recaptcha-response\u0027 from the \u0027data\u0027 array.",
"id": "GHSA-h2p5-5xgm-h7m9",
"modified": "2026-04-08T21:32:12Z",
"published": "2024-02-06T00:30:26Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6963"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/changeset/3022982"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d317f2c7-06f3-4875-9f9b-eb7f450aa2f4?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2Q6-MM6M-CFXP
Vulnerability from github – Published: 2026-04-22 18:31 – Updated: 2026-04-22 18:31GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.
{
"affected": [],
"aliases": [
"CVE-2026-5377"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-22T17:16:44Z",
"severity": "MODERATE"
},
"details": "GitLab has remediated an issue in GitLab CE/EE affecting all versions from 18.11 before 18.11.1 that could have allowed an authenticated user to access titles of confidential or private issues in public projects due to improper access control in the issue description rendering process.",
"id": "GHSA-h2q6-mm6m-cfxp",
"modified": "2026-04-22T18:31:47Z",
"published": "2026-04-22T18:31:46Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5377"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/3640688"
},
{
"type": "WEB",
"url": "https://about.gitlab.com/releases/2026/04/22/patch-release-gitlab-18-11-1-released"
},
{
"type": "WEB",
"url": "https://gitlab.com/gitlab-org/gitlab/-/work_items/595553"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-H2QH-93XP-94XR
Vulnerability from github – Published: 2022-05-24 19:15 – Updated: 2022-05-24 19:15Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.
{
"affected": [],
"aliases": [
"CVE-2020-19551"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-09-21T19:15:00Z",
"severity": "HIGH"
},
"details": "Blacklist bypass issue exists in WUZHI CMS up to and including 4.1.0 in common.func.php, which when uploaded can cause remote code executiong.",
"id": "GHSA-h2qh-93xp-94xr",
"modified": "2022-05-24T19:15:23Z",
"published": "2022-05-24T19:15:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-19551"
},
{
"type": "WEB",
"url": "https://github.com/wuzhicms/wuzhicms/issues/177"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-H2W2-V7J6-XQM4
Vulnerability from github – Published: 2026-06-18 14:26 – Updated: 2026-06-18 14:26Summary
The published npm package praisonai exports createAgentLoop(), whose onToolCall callback is documented and exampled as an approval hook. The implementation calls PraisonAI's generateText() wrapper with the caller's executable tools first, receives toolResults, and only then calls onToolCall().
Because AI SDK generateText() executes tools with an execute function as part of the generation call, onToolCall can deny a tool only after the sensitive side effect has already happened. PraisonAI then returns finishReason: "tool_rejected", which is a false security signal: the rejected tool already ran.
The PoV is deterministic and local-only. It uses mock AI SDK modules, no live model call, no API key, and no network target. The tool increments an in-memory counter rather than touching the filesystem or executing commands.
Technical Details
In src/praisonai-ts/src/ai/agent-loop.ts, the public config says:
/** On tool call callback (for approval) */
onToolCall?: (toolCall: ToolCallInfo) => Promise<boolean>;
The inline approval example also asks a user for approval and returns the decision:
onToolCall: async (toolCall) => {
const approved = await askUserForApproval(toolCall);
return approved;
}
However, AgentLoop.step() calls generateText() with the executable tools before invoking onToolCall:
const result = await generateText({
model: this.config.model,
messages: this.messages as any,
tools: this.config.tools,
maxSteps: 1,
});
It then materializes toolResults:
toolResults: result.toolResults.map(tr => ({
toolCallId: tr.toolCallId,
toolName: tr.toolName,
result: tr.result,
})),
Only afterward does the approval callback run:
if (this.config.onToolCall) {
for (const toolCall of step.toolCalls) {
const approved = await this.config.onToolCall(toolCall);
if (!approved) {
this.complete = true;
step.finishReason = 'tool_rejected';
break;
}
}
}
src/praisonai-ts/src/ai/generate-text.ts forwards the caller's tools directly to AI SDK:
const result = await sdk.generateText({
model,
...
tools: options.tools,
maxSteps: options.maxSteps,
...
});
AI SDK documents that generateText() "generates text and calls tools", and that tools with an execute function run automatically unless approval is handled before execution with needsApproval.
The published npm:praisonai@1.7.1 dist files preserve the same order:
dist/ai/agent-loop.jslines 150-157 callgenerateText()with executable tools.- lines 162-171 materialize
toolResults. - lines 183-195 call
onToolCall()and settool_rejectedafterward.
Why This Is Not Intended Behavior
This is not a trust-model-only issue. PraisonAI explicitly labels onToolCall as an approval callback and shows an approval example. A user who returns false from that callback expects the tool not to run.
It also conflicts with the AI SDK execution model PraisonAI wraps:
- AI SDK
generateText()executes tools that include anexecutefunction. - AI SDK approval is a pre-execution boundary (
needsApproval), not a post-execution notification. - AI SDK loop control documentation treats "a tool call needs approval" as a condition that stops or pauses the loop before executing the tool.
PraisonAI's current behavior instead creates a post-execution audit hook while naming and documenting it as approval.
PoV
Run from a local reproduction checkout:
node poc/pov_poc.js 1.7.1
Expected output includes:
{
"praisonaiVersion": "1.7.1",
"createAgentLoopExported": true,
"eventOrder": ["tool-executed", "approval-denied"],
"sideEffects": 1,
"finishReason": "tool_rejected",
"toolCallCount": 1,
"toolResultCount": 1,
"rejectedAfterExecution": true,
"vulnerable": true,
"patchedControl": {
"order": ["approval-denied"],
"sideEffects": 0,
"toolCallCount": 1,
"toolResultCount": 0,
"blocksBeforeExecution": true
}
}
The PoV installs npm:praisonai@1.7.1 into a temporary project and supplies mock ai and @ai-sdk/openai modules. The mocked generateText() returns one tool-call intent and executes a supplied execute handler if present. This keeps the proof deterministic and isolates PraisonAI's ordering bug.
The vulnerable run uses createAgentLoop() with:
- a
dangerousWritetool whoseexecute()handler increments an in-memory side-effect counter and recordstool-executed; - an
onToolCallapproval callback that always returnsfalseand recordsapproval-denied.
The observed order is:
tool-executed > approval-denied
That proves denial happens after execution. The toolResults array contains the tool's result even though PraisonAI reports finishReason: "tool_rejected".
The patched-control comparison strips executable handlers before the model step, requests approval on the tool-call intent, and only executes if approval succeeds. With the same denial decision, the control output is:
approval-denied
sideEffects = 0
toolResultCount = 0
PoC
The PoV section above contains the local reproduction command, input, and decisive output.
Impact
Any application using npm PraisonAI createAgentLoop() with onToolCall as a human-in-the-loop or policy approval boundary can execute denied tools.
If the application exposes the agent loop to lower-trust prompts or users and registers powerful tools, an attacker can cause the model to call a tool that the approval callback denies. The denial occurs too late. Depending on the registered tool, impact can include file modification, command execution, external API calls, data mutation, credential use, or other side effects with the privileges of the PraisonAI process.
The report does not claim that npm PraisonAI exposes this as a default network service. It is a library-level approval-boundary bypass in the exported TypeScript agent-loop API.
Severity
Suggested severity: High.
Rationale:
AV: common deployment pattern is an application exposing agent prompts over a network.AC: attacker only needs to induce a tool call.PR: conservative base score assumes the attacker can submit prompts to the application.UI: no additional operator action is needed for the tool to execute before denial; even a denial callback is too late.S: impact is in the PraisonAI-hosting application process.C/I/A: depends on registered tools; shell/file/API tools can affect confidentiality, integrity, and availability.
If maintainers score only local scripts that process untrusted repositories or prompts, AV:L may be reasonable. If they score public unauthenticated prompt endpoints built on this API, PR:N may be reasonable.
Suggested Fix
Do not pass executable tool handlers into generateText() before approval.
One safe shape:
- Convert configured tools into intent-only tool definitions without
execute. - Call
generateText()to obtain the model's tool-call intent. - Invoke
onToolCall(toolCall)before any side effect. - Execute the selected tool only if approval returns true.
- Append approved tool results to the conversation and continue the loop.
Alternatively, if PraisonAI wants to delegate approval to AI SDK v6, translate onToolCall into per-tool needsApproval semantics so AI SDK pauses before calling execute.
Regression tests should include:
onToolCallreturns false and the toolexecute()counter remains zero;onToolCallreturns true and the tool executes exactly once;tool_rejectedis never reported together with a tool result produced by the denied tool;- streaming and non-streaming loop variants use the same approval ordering if added later.
Affected Package/Versions
- Repository:
MervinPraison/PraisonAI - Package:
npm:praisonai - Component: TypeScript
AgentLoop - Current head validated:
1ad58ca02975ff1398efeda694ea2ab78f20cf3e - Current tag validated:
v4.6.58 - Latest npm package validated:
1.7.1
Suggested affected range:
npm:praisonai >= 1.4.0, <= 1.7.1
Selected version sweep:
1.0.0: package main cannot be required in the selected test environment.1.2.0:createAgentLoopis not exported.1.3.6:createAgentLoopis not exported.1.4.0: vulnerable.1.5.0: vulnerable.1.5.4: vulnerable.1.6.0: vulnerable.1.7.0: vulnerable.1.7.1: vulnerable.
Advisory History
This is distinct from known and previously submitted PraisonAI issues:
GHSA-ffp3-3562-8cv3covers Pythonpraisonaiagentsapproval cache keyed by tool name rather than invocation arguments.GHSA-qwgj-rrpj-75xmcovers Python Chainlit UI overriding configured approval mode withauto.GHSA-63v4-w882-g4x2/ poc covers PythonHTTPApprovalapproval-page XSS.- poc covers npm TypeScript
AgentOSmissing authentication. - poc covers npm TypeScript
codeModesandbox escape. - poc covers npm TypeScript
MCPServermissing authentication.
No visible local or GitHub advisory covers npm TypeScript AgentLoop.onToolCall executing after tool results already exist.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.7.1"
},
"package": {
"ecosystem": "npm",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "1.4.0"
},
{
"fixed": "1.7.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-693",
"CWE-862",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T14:26:51Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe published npm package `praisonai` exports `createAgentLoop()`, whose `onToolCall` callback is documented and exampled as an approval hook. The implementation calls PraisonAI\u0027s `generateText()` wrapper with the caller\u0027s executable tools first, receives `toolResults`, and only then calls `onToolCall()`.\n\nBecause AI SDK `generateText()` executes tools with an `execute` function as part of the generation call, `onToolCall` can deny a tool only after the sensitive side effect has already happened. PraisonAI then returns `finishReason: \"tool_rejected\"`, which is a false security signal: the rejected tool already ran.\n\nThe PoV is deterministic and local-only. It uses mock AI SDK modules, no live model call, no API key, and no network target. The tool increments an in-memory counter rather than touching the filesystem or executing commands.\n\n## Technical Details\n\nIn `src/praisonai-ts/src/ai/agent-loop.ts`, the public config says:\n\n```ts\n/** On tool call callback (for approval) */\nonToolCall?: (toolCall: ToolCallInfo) =\u003e Promise\u003cboolean\u003e;\n```\n\nThe inline approval example also asks a user for approval and returns the decision:\n\n```ts\nonToolCall: async (toolCall) =\u003e {\n const approved = await askUserForApproval(toolCall);\n return approved;\n}\n```\n\nHowever, `AgentLoop.step()` calls `generateText()` with the executable tools before invoking `onToolCall`:\n\n```ts\nconst result = await generateText({\n model: this.config.model,\n messages: this.messages as any,\n tools: this.config.tools,\n maxSteps: 1,\n});\n```\n\nIt then materializes `toolResults`:\n\n```ts\ntoolResults: result.toolResults.map(tr =\u003e ({\n toolCallId: tr.toolCallId,\n toolName: tr.toolName,\n result: tr.result,\n})),\n```\n\nOnly afterward does the approval callback run:\n\n```ts\nif (this.config.onToolCall) {\n for (const toolCall of step.toolCalls) {\n const approved = await this.config.onToolCall(toolCall);\n if (!approved) {\n this.complete = true;\n step.finishReason = \u0027tool_rejected\u0027;\n break;\n }\n }\n}\n```\n\n`src/praisonai-ts/src/ai/generate-text.ts` forwards the caller\u0027s tools directly to AI SDK:\n\n```ts\nconst result = await sdk.generateText({\n model,\n ...\n tools: options.tools,\n maxSteps: options.maxSteps,\n ...\n});\n```\n\nAI SDK documents that `generateText()` \"generates text and calls tools\", and that tools with an `execute` function run automatically unless approval is handled before execution with `needsApproval`.\n\nThe published `npm:praisonai@1.7.1` dist files preserve the same order:\n\n- `dist/ai/agent-loop.js` lines 150-157 call `generateText()` with executable tools.\n- lines 162-171 materialize `toolResults`.\n- lines 183-195 call `onToolCall()` and set `tool_rejected` afterward.\n\n### Why This Is Not Intended Behavior\n\nThis is not a trust-model-only issue. PraisonAI explicitly labels `onToolCall` as an approval callback and shows an approval example. A user who returns `false` from that callback expects the tool not to run.\n\nIt also conflicts with the AI SDK execution model PraisonAI wraps:\n\n- AI SDK `generateText()` executes tools that include an `execute` function.\n- AI SDK approval is a pre-execution boundary (`needsApproval`), not a post-execution notification.\n- AI SDK loop control documentation treats \"a tool call needs approval\" as a condition that stops or pauses the loop before executing the tool.\n\nPraisonAI\u0027s current behavior instead creates a post-execution audit hook while naming and documenting it as approval.\n\n## PoV\n\nRun from a local reproduction checkout:\n\n```bash\nnode poc/pov_poc.js 1.7.1\n```\n\nExpected output includes:\n\n```json\n{\n \"praisonaiVersion\": \"1.7.1\",\n \"createAgentLoopExported\": true,\n \"eventOrder\": [\"tool-executed\", \"approval-denied\"],\n \"sideEffects\": 1,\n \"finishReason\": \"tool_rejected\",\n \"toolCallCount\": 1,\n \"toolResultCount\": 1,\n \"rejectedAfterExecution\": true,\n \"vulnerable\": true,\n \"patchedControl\": {\n \"order\": [\"approval-denied\"],\n \"sideEffects\": 0,\n \"toolCallCount\": 1,\n \"toolResultCount\": 0,\n \"blocksBeforeExecution\": true\n }\n}\n```\n\nThe PoV installs `npm:praisonai@1.7.1` into a temporary project and supplies mock `ai` and `@ai-sdk/openai` modules. The mocked `generateText()` returns one tool-call intent and executes a supplied `execute` handler if present. This keeps the proof deterministic and isolates PraisonAI\u0027s ordering bug.\n\nThe vulnerable run uses `createAgentLoop()` with:\n\n- a `dangerousWrite` tool whose `execute()` handler increments an in-memory side-effect counter and records `tool-executed`;\n- an `onToolCall` approval callback that always returns `false` and records `approval-denied`.\n\nThe observed order is:\n\n```text\ntool-executed \u003e approval-denied\n```\n\nThat proves denial happens after execution. The `toolResults` array contains the tool\u0027s result even though PraisonAI reports `finishReason: \"tool_rejected\"`.\n\nThe patched-control comparison strips executable handlers before the model step, requests approval on the tool-call intent, and only executes if approval succeeds. With the same denial decision, the control output is:\n\n```text\napproval-denied\nsideEffects = 0\ntoolResultCount = 0\n```\n\n## PoC\n\nThe PoV section above contains the local reproduction command, input, and decisive output.\n\n## Impact\n\nAny application using npm PraisonAI `createAgentLoop()` with `onToolCall` as a human-in-the-loop or policy approval boundary can execute denied tools.\n\nIf the application exposes the agent loop to lower-trust prompts or users and registers powerful tools, an attacker can cause the model to call a tool that the approval callback denies. The denial occurs too late. Depending on the registered tool, impact can include file modification, command execution, external API calls, data mutation, credential use, or other side effects with the privileges of the PraisonAI process.\n\nThe report does not claim that npm PraisonAI exposes this as a default network service. It is a library-level approval-boundary bypass in the exported TypeScript agent-loop API.\n\n### Severity\n\nSuggested severity: High.\n\nRationale:\n\n- `AV`: common deployment pattern is an application exposing agent prompts over a network.\n- `AC`: attacker only needs to induce a tool call.\n- `PR`: conservative base score assumes the attacker can submit prompts to the application.\n- `UI`: no additional operator action is needed for the tool to execute before denial; even a denial callback is too late.\n- `S`: impact is in the PraisonAI-hosting application process.\n- `C/I/A`: depends on registered tools; shell/file/API tools can affect confidentiality, integrity, and availability.\n\nIf maintainers score only local scripts that process untrusted repositories or prompts, `AV:L` may be reasonable. If they score public unauthenticated prompt endpoints built on this API, `PR:N` may be reasonable.\n\n## Suggested Fix\n\nDo not pass executable tool handlers into `generateText()` before approval.\n\nOne safe shape:\n\n1. Convert configured tools into intent-only tool definitions without `execute`.\n2. Call `generateText()` to obtain the model\u0027s tool-call intent.\n3. Invoke `onToolCall(toolCall)` before any side effect.\n4. Execute the selected tool only if approval returns true.\n5. Append approved tool results to the conversation and continue the loop.\n\nAlternatively, if PraisonAI wants to delegate approval to AI SDK v6, translate `onToolCall` into per-tool `needsApproval` semantics so AI SDK pauses before calling `execute`.\n\nRegression tests should include:\n\n- `onToolCall` returns false and the tool `execute()` counter remains zero;\n- `onToolCall` returns true and the tool executes exactly once;\n- `tool_rejected` is never reported together with a tool result produced by the denied tool;\n- streaming and non-streaming loop variants use the same approval ordering if added later.\n\n## Affected Package/Versions\n\n- Repository: `MervinPraison/PraisonAI`\n- Package: `npm:praisonai`\n- Component: TypeScript `AgentLoop`\n- Current head validated: `1ad58ca02975ff1398efeda694ea2ab78f20cf3e`\n- Current tag validated: `v4.6.58`\n- Latest npm package validated: `1.7.1`\n\nSuggested affected range:\n\n```text\nnpm:praisonai \u003e= 1.4.0, \u003c= 1.7.1\n```\n\nSelected version sweep:\n\n- `1.0.0`: package main cannot be required in the selected test environment.\n- `1.2.0`: `createAgentLoop` is not exported.\n- `1.3.6`: `createAgentLoop` is not exported.\n- `1.4.0`: vulnerable.\n- `1.5.0`: vulnerable.\n- `1.5.4`: vulnerable.\n- `1.6.0`: vulnerable.\n- `1.7.0`: vulnerable.\n- `1.7.1`: vulnerable.\n\n## Advisory History\n\nThis is distinct from known and previously submitted PraisonAI issues:\n\n- `GHSA-ffp3-3562-8cv3` covers Python `praisonaiagents` approval cache keyed by tool name rather than invocation arguments.\n- `GHSA-qwgj-rrpj-75xm` covers Python Chainlit UI overriding configured approval mode with `auto`.\n- `GHSA-63v4-w882-g4x2` / poc covers Python `HTTPApproval` approval-page XSS.\n- poc covers npm TypeScript `AgentOS` missing authentication.\n- poc covers npm TypeScript `codeMode` sandbox escape.\n- poc covers npm TypeScript `MCPServer` missing authentication.\n\nNo visible local or GitHub advisory covers npm TypeScript `AgentLoop.onToolCall` executing after tool results already exist.",
"id": "GHSA-h2w2-v7j6-xqm4",
"modified": "2026-06-18T14:26:51Z",
"published": "2026-06-18T14:26:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-h2w2-v7j6-xqm4"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "npm PraisonAI AgentLoop onToolCall approval runs after tool execution"
}
GHSA-H34R-WGPP-R3P4
Vulnerability from github – Published: 2025-10-03 12:33 – Updated: 2025-10-08 15:32A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.
{
"affected": [],
"aliases": [
"CVE-2025-27236"
],
"database_specific": {
"cwe_ids": [
"CWE-863"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-03T12:15:43Z",
"severity": "LOW"
},
"details": "A regular Zabbix user can search other users in their user group via Zabbix API by select fields the user does not have access to view. This allows data-mining some field values the user does not have access to.",
"id": "GHSA-h34r-wgpp-r3p4",
"modified": "2025-10-08T15:32:26Z",
"published": "2025-10-03T12:33:15Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27236"
},
{
"type": "WEB",
"url": "https://support.zabbix.com/browse/ZBX-27060"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
No CAPEC attack patterns related to this CWE.