33190 matches found
PraisonAI Code agent tools fail open without a workspace boundary
PraisonAI Code agent tools fail open without a workspace boundary Summary PraisonAI Code's agent-compatible CODETOOLS wrappers keep a global workspace root initialized to None. If an application uses CODETOOLS, codereadfile, codesearchreplace, or codeapplydiff before calling setworkspace, the...
PraisonAI: Missing Authentication for Critical Function and Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisonai
Unauthenticated PraisonAI UI MCP connect endpoint executes attacker-chosen local commands Summary PraisonAI v4.6.48 exposes the PraisonAIUI MCP client management API through the default UI host apps without authentication. A remote unauthenticated client can send POST /api/mcp/connect with a...
PraisonAI: Webhook signature verification skipped (fail-open) when secret unset, allowing forged inbound webhooks (WhatsApp & Linear bots)
The WhatsApp and Linear bot adapters verify the inbound webhook HMAC signature only when a secret is configured. When the secret environment variable is unset — the default on a fresh install and common in development — verification is skipped entirely and the webhook body is parsed and dispatche...
PraisonAI: Missing ownership check on DELETE endpoints allows members to delete others' content in Platform API
Summary A workspace member can permanently delete any resource — projects, agents, issues, labels, issue dependencies, and issue-label attachments — created by the workspace owner or other members. All six content DELETE endpoints enforce workspace membership but perform no ownership or role chec...
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
AgentOS remains unauthenticated after GHSA-pm96 patched version and allows remote agent invocation Summary PraisonAI's AgentOS FastAPI deployment surface remains unauthenticated in current main and in releases after the published patched version for GHSA-pm96-6xpr-978x / CVE-2026-40151. The publi...
PraisonAI AgentTeam.launch exposes unauthenticated remote agent listing and invocation endpoints
PraisonAI AgentTeam.launch exposes unauthenticated remote agent invocation endpoints Summary PraisonAI's documented Python AgentTeam.launch / Agents.launch HTTP server starts externally reachable agent invocation endpoints without any authentication enforcement. The current implementation registe...
PraisonAI: Jobs webhook SSRF protection bypass via DNS rebinding
Jobs webhook SSRF protection bypass via DNS rebinding Summary PraisonAI's Async Jobs API validates webhookurl when a job request is parsed and again when the internal Job object is constructed. That validation blocks direct loopback/private targets, but it is not bound to the later network reques...
PraisonAI: Jobs API exposes agent-execution endpoints with no authentication
praisonai: Jobs API exposes agent-execution endpoints with no authentication Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Affected version empirically tested: 4.6.48...
PraisonAI: Arbitrary File Read via `@file:` Mention Path Traversal
Summary The MentionsParser in src/praisonai-agents/praisonaiagents/tools/mentions.py processes @file: mentions in agent prompts by reading arbitrary files from the filesystem. When a file path is not found relative to the workspace, the parser falls back to using the path as an absolute path...
praisonai: recipe serve auth middleware silently disables itself when no secret is set
praisonai: recipe serve authentication middleware silently disables itself when no secret is set Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI --- Package: praisonai on PyPI Version tested: 4.6.48...
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS
praisonaiagents: SSRF guard validates literal IPs only and never resolves DNS Researcher: Kai Aizen — SnailSploit @SnailSploit, Adversarial & Offensive Security Research Target: https://github.com/MervinPraison/PraisonAI Weakness: CWE-918 Server-Side Request Forgery SSRF. --- Summary The SSRF gua...
PraisonAI: Unauthenticated RCE via Jobs API + Approval Bypass
Unauthenticated Remote Code Execution via Jobs API and Approval Bypass in PraisonAI Summary An unauthenticated attacker can execute arbitrary OS commands on any server running the PraisonAI Jobs API by submitting a crafted workflow YAML. The attack chains two weaknesses: the /api/v1/runs endpoint...
PraisonAI: Unauthenticated Local File Inclusion via agent_file path in PraisonAI Jobs API
Summary An unauthenticated attacker can read arbitrary files on the server by supplying an absolute filesystem path in the agentfile field of the Jobs API. The field has no path validation, no allowlist, and no authentication is required to submit jobs. Details The agentfile field in...
PraisonAI: MCP SSE transport binds 0.0.0.0 with no authentication and no Origin validation; bundled SecurityConfig is never wired in
The MCP SSE server started via ToolsMCPServer.runsse / launchtoolsmcpservertransport="sse" binds to 0.0.0.0 by default and builds its Starlette application with no authentication middleware and no Origin-header validation. The module mcp/mcpsecurity.py provides exactly the needed controls origin...
PraisonAI: execute_code sandbox bypass: str.format C-level attribute access reads every blocklisted dunder
Summary The executecode tool's subprocess sandbox advertises a three-layer defense AST validation, text-pattern blocklist, restricted builtins. In sandbox mode the default only two layers are active — the text-pattern blocklist is skipped — and both remaining layers are bypassed by combining two...
PraisonAI: SpiderTools redirect-target SSRF protection bypass
SpiderTools redirect-target SSRF protection bypass Summary SpiderTools.scrapepage validates the initial URL and rejects direct loopback, private, link-local, metadata, and internal hostnames. It then calls requests.Session.get without disabling automatic redirects or validating redirect Location...
PraisonAI: Compute-bridged file tools allow shell command injection
Compute-bridged file tools allow shell command injection Summary LocalManagedAgent / SandboxedAgent compute bridging wraps readfile, listfiles, and writefile when a compute provider is attached. The bridge converts those file operations into shell command strings using raw path arguments, then...
PraisonAI recipe.run_stream skips dangerous-tool policy enforcement
PraisonAI recipe.runstream skips dangerous-tool policy enforcement Summary PraisonAI recipe execution blocks default-denied dangerous tools unless the caller explicitly passes allowdangeroustools=True. The normal recipe.run path enforces this with checktoolpolicy. The streaming path,...
PraisonAI: HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools
HTTPApproval dashboard renders tool arguments as raw HTML, allowing approval-page XSS to approve dangerous tools Summary praisonai.bots.HTTPApproval renders pending tool approval arguments directly into the approval dashboard HTML. An attacker-controlled tool argument can inject JavaScript into...
PraisonAI LinearBot processes unsigned webhooks when LINEAR_WEBHOOK_SECRET is missing
PraisonAI LinearBot processes unsigned webhooks when LINEARWEBHOOKSECRET is missing Summary PraisonAI's LinearBot starts a public webhook listener on 0.0.0.0 and treats LINEARWEBHOOKSECRET as optional. When the secret is absent, startup only logs a warning and handlewebhook skips Linear-Signature...
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage
PraisonAI dynamic-context artifact tools read arbitrary host files outside artifact storage Summary PraisonAI's Dynamic Context Discovery feature exposes artifact helper tools through ctx.gettools: python ctx = setupdynamiccontext agent = Agent instructions="You are a data analyst.",...
PraisonAI Slack app_mention bypasses configured user/channel authorization
PraisonAI Slack appmention bypasses configured user/channel authorization Summary PraisonAI's Slack bot applies its configured allowedusers, allowedchannels, and unknown-user pairing policy in the normal Slack message event handler, but not in the adjacent Slack appmention event handler. A Slack...
PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard
PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard Summary PraisonAI's installed console entrypoint is Typer-first. In current releases, the recipe command is registered in the Typer app and praisonai recipe serve dispatches to the deprecated Typer command in...
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools
PraisonAI ToolsMCPServer legacy SSE transport accepts attacker Host/Origin and exposes registered tools Summary praisonaiagents.mcp.ToolsMCPServer.runsse builds a Starlette MCP HTTP+SSE server around mcp.server.sse.SseServerTransport. The server exposes /sse and /messages/, but it does not valida...
PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal
PraisonAI Dynamic Context history and terminal tools read files outside configured storage via path traversal Summary PraisonAI's Dynamic Context module provides filesystem-backed history and terminal-log storage. The SDK reference describes the module as providing: - artifact storage for tool...
PraisonAI DiscordApproval accepts unrelated channel messages as dangerous-tool approvals
DiscordApproval accepts unrelated channel messages as dangerous-tool approvals Summary praisonai.bots.DiscordApproval approves a pending dangerous tool call when it sees any later non-bot message in the configured Discord channel whose text is classified as approval, such as yes. The decision is...
ZITADEL: Missing Token Audience Validation (`aud`) in JWT IdP Provider
Summary An authentication bypass vulnerability was discovered in ZITADEL's external JWT Identity Provider IdP implementation. When validating JSON Web Tokens JWTs from an external provider, ZITADEL properly checks the token's cryptographic signature and issuer iss, but it fails to validate the...
ZITADEL: Missing Token Lifecyle Validation (`exp` and `iat`) in JWT IdP Provider
Summary Two closely related token lifecycle validation vulnerabilities were discovered in ZITADEL's external JWT Identity Provider IdP implementation. Specifically, within the validation pipeline: Missing Expiration exp Enforcement: If an incoming JWT omits the exp claim entirely, the expiration...
ZITADEL: Missing client_id binding in OIDC authorization code exchange and refresh token flows (RFC 6749 Section 4.1.3 violation)
Summary Zitadel's OAuth2 / OIDC CodeExchange and RefreshToken implementations omit a critical validation step to ensure that the requesting client matches the client that originally initiated the authorization flow. This violates RFC 6749 Section 4.1.3, which mandates that the authorization serve...
PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint
Summary The SSE Server-Sent Events server in src/praisonai-agents/praisonaiagents/server/server.py exposes a /publish endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The ServerConfig dataclass line 24 defines an authtoken field, but this token is...
ZITADEL: Cross-Tenant User Leakage via Recycled Identifiers
Summary A flaw in the user lifecycle enforcement allowed deleted users to retain their original organization/tenant association. Recreating a deleted user under a distinct organization can cause the new user instance to be incorrectly provisioned within the original organization if the previous I...
JLine3 Telnet server: Unauthenticated Remote Memory Exhaustion via Unbounded Telnet NEW-ENVIRON Variables
Summary The JLine3 Telnet server remote-telnet module does not limit the number of environment variables a client may inject via the Telnet NEW-ENVIRON option. An unauthenticated attacker can flood the server with a large number of unique variable pairs before sending the terminating IAC SE byte,...
JLine3 Telnet server: Unauthenticated Remote DoS via Unbounded Telnet NAWS Terminal Geometry
Summary The JLine3 Telnet server remote-telnet module does not apply an upper bound to terminal dimensions received via the Telnet NAWS Negotiate About Window Size option. An unauthenticated remote attacker can send a NAWS subnegotiation advertising a 65535×65535 terminal and repeatedly alternate...
TinaCMS rich-text (slatejson) rendering does not sanitize link/image URLs, allowing stored XSS via dangerous URL schemes
TinaCMS rich-text parsing and the default link/image renderers did not sanitize the url field on Slate link/image nodes. Content containing javascript: or data:text/html URLs — including case-variant, whitespace-padded, and control-character-obfuscated forms — is rendered into href/src and execut...
Karate Mock Server RCE via embedded expression evaluation of request-derived data
Summary Karate Mock Server can execute embedded expressions found in attacker-controlled HTTP request data when a Mock Server feature assigns request-derived values such as request, requestHeaders, or requestParams to variables. In affected scenarios, an unauthenticated remote attacker can place ...
Hydro: Insufficient session expiration when recreating sessions
Impact Hydro contains an insufficient session expiration vulnerability in its session recreation logic. When a session is recreated, including during logout or other session renewal flows, Hydro creates a new session token but does not delete the previous server-side session token. As a result, a...
http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody`
Summary fixRequestBody is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the outgoing Content-Type is multipart/form-data, it rebuilds the body with handlerFormDataBodyData, which interpolates each req.body key and value directly in...
http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass
Summary http-proxy-middleware documents router proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted Host header that is only a superstring match for a configur...
NCalc: Denial of Service via Unbounded and Non-Terminating Factorial Evaluation
Impact A denial-of-service DoS vulnerability exists in the factorial operator implementation of NCalc. Specially crafted expressions containing extremely large factorial operands can trigger excessive CPU consumption or cause evaluation to enter a non-terminating loop due to integer overflow in t...
piscina: Prototype Pollution Gadget → RCE via inherited options.filename
Summary piscina's constructor and run paths read the filename option via plain member access: js // dist/index.js line 92 constructor const filename = options.filename ? 0, common1.maybeFileURLToPathoptions.filename : null; this.options = ...kDefaultOptions, ...options, filename, maxQueue: 0 ; //...
Docker MCP Gateway: Argument injection via OCI image label YAML
Summary A maliciously crafted OCI image label can inject arbitrary arguments into the docker run command line constructed by the MCP Gateway. An attacker who controls an image that the victim references via docker://, or that the victim's catalog pulls a snapshot from, can mount the host...
jodit: Prototype pollution in Jodit via Jodit.modules.Helpers.set()
Summary Jodit.modules.Helpers.setchain, value, obj walks the dot-separated chain, creating and following each path segment, without filtering prototype-mutating keys. A chain that begins with or contains proto, constructor, or prototype lets the final assignment reach and mutate Object.prototype...
Gotenberg: SSRF via LibreOffice document processing
Summary Server-Side Request Forgery SSRF vulnerability affecting the /forms/libreoffice/convert endpoint in Gotenberg v8.33.0 running with the default configuration. By uploading a specially crafted DOCX document, an attacker can cause LibreOffice to automatically retrieve external resources duri...
Strimzi: Unrestricted access to all Secrets within namespace watched by the Topic operator
Impact When only the Topic or only the User operators are deployed as part of the Entity Operator in the Kafka custom resource, the RBAC rights are not following the principle of least-privilege and the Entity Operator ServiceAccount still has access rights corresponding to both operators. That...
Strimzi: Cross-namespace privilege escalation via `Kafka.spec.entityOperator`
Impact Having the Topic and User operators to watch different namespaces than the one where the Kafka cluster is deployed, is a fully documented feature. When the watchedNamespace field is used within the Topic or User operator as part of the Kafka.spec.entityOperator field, the Cluster Operator...
OpenClaw: Tool group policy callers could accept unvalidated group IDs
Summary Tool group policy callers could accept unvalidated group IDs. In affected versions, a caller that can supply a group id to the affected policy resolver could resolve policy for an unvalidated group id. This advisory is scoped to the named feature and configuration. It does not change...
OpenClaw: Workspace .env CLOUDSDK_PYTHON could influence Gmail setup gcloud execution
Summary Workspace .env CLOUDSDKPYTHON could influence Gmail setup gcloud execution. In affected versions, a workspace .env in a repository opened by a trusted operator could influence which Python runtime gcloud used through CLOUDSDKPYTHON. This advisory is scoped to the named feature and...
OpenClaw: Shell inline-command parsing could miss an allowlist check
Summary Shell inline-command parsing could miss an allowlist check. In affected versions, a command request using shell inline-command forms could route an inline command through a parser case that did not receive the expected allowlist decision. This advisory is scoped to the named feature and...
OpenClaw: Pairing-scoped device session could restore revoked node token authority
Summary In affected releases, a surviving pairing-scoped session for a device could re-establish node token authority after that node token had been revoked. Revocation should require the device to lose that authority unless it is approved again through the normal pairing flow. This issue affects...
OpenClaw: Host environment sanitizer missed two Node.js control variables
Summary Host environment sanitizer missed two Node.js control variables. In affected versions, a lower-trust env source such as a workspace .env, tool env override, or skill env block could pass Node.js control variables through the shared sanitizer. This advisory is scoped to the named feature a...