CVE-2026-34953
published 2026-04-03CVE-2026-34953: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store…
PriorityP357critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.38%
29.4th percentile
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.97 | 4.5.97 |
| mervinpraison | praisonai | >= 0 < 4.5.97 | 4.5.97 |
| mervinpraison | praisonai | >= 1.5.1 < 1.7.2 | 1.7.2 |
| praison | praisonai | < 4.5.97 | 4.5.97 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
ghsa·2026-06-18
CVE-2026-34953 [HIGH] CWE-287 npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
npm PraisonAI MCPSecurity Basic/OAuth authentication policies accept invalid credentials without validation
## Summary
The published npm package `praisonai` exports an `MCPSecurity` helper described in source as:
```text
MCP Security - Authentication, authorization, and rate limiting
Provides security policies for MCP servers.
```
Its `AuthMethod` type advertises five authentication methods:
```ts
export type AuthMethod = 'none' | 'api-key' | 'bearer' | 'basic' | 'oauth';
```
The authentication-policy evaluator, however, only validates credentials for `api-key` and `bearer`:
```ts
if (policy.auth.method === 'api-key' || policy.auth.method === 'bearer') {
const valid = policy.auth.validate
? await policy.auth.validate(token)
: this.validateApiKey(token);
if (!valid) {
return { allow
GHSA
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
ghsa·2026-04-01
CVE-2026-34953 [CRITICAL] CWE-863 PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
### Summary
`OAuthManager.validate_token()` returns `True` for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities.
### Details
`oauth.py:364` (source) -> `oauth.py:374` (loop miss) -> `oauth.py:381` (sink)
```python
# source
def validate_token(self, token: str) -> bool:
for stored_token in self._tokens.values():
if stored_token.access_token == token:
return not stored_token.is_expired()
# sink -- _tokens is empty by default, loop never executes, falls through
return True
```
### PoC
```bash
# install: pip install -e src/praisonai
# star
OSV
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
osv·2026-04-01
CVE-2026-34953 [CRITICAL] PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
PraisonAI Has Authentication Bypass via OAuthManager.validate_token()
### Summary
`OAuthManager.validate_token()` returns `True` for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities.
### Details
`oauth.py:364` (source) -> `oauth.py:374` (loop miss) -> `oauth.py:381` (sink)
```python
# source
def validate_token(self, token: str) -> bool:
for stored_token in self._tokens.values():
if stored_token.access_token == token:
return not stored_token.is_expired()
# sink -- _tokens is empty by default, loop never executes, falls through
return True
```
### PoC
```bash
# install: pip install -e src/praisonai
# star
No detection rules found.
No public exploits indexed.
2026-04-03
Published