CWE-862
Allowed-with-ReviewMissing Authorization
Abstraction: Class · Status: Incomplete
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
14624 vulnerabilities reference this CWE, most recent first.
GHSA-9C7X-GVXW-8JHQ
Vulnerability from github – Published: 2025-01-02 15:31 – Updated: 2026-04-23 15:34Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.
{
"affected": [],
"aliases": [
"CVE-2023-47778"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-01-02T15:15:20Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.",
"id": "GHSA-9c7x-gvxw-8jhq",
"modified": "2026-04-23T15:34:26Z",
"published": "2025-01-02T15:31:59Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47778"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/luckywp-scripts-control/vulnerability/wordpress-luckywp-scripts-control-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9C82-3F2R-V942
Vulnerability from github – Published: 2026-07-10 03:31 – Updated: 2026-07-10 03:31A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.
{
"affected": [],
"aliases": [
"CVE-2026-15320"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-07-10T03:16:20Z",
"severity": "LOW"
},
"details": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.",
"id": "GHSA-9c82-3f2r-v942",
"modified": "2026-07-10T03:31:30Z",
"published": "2026-07-10T03:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15320"
},
{
"type": "WEB",
"url": "https://github.com/sipeed/picoclaw/issues/3071"
},
{
"type": "WEB",
"url": "https://github.com/sipeed/picoclaw"
},
{
"type": "WEB",
"url": "https://vuldb.com/cve/CVE-2026-15320"
},
{
"type": "WEB",
"url": "https://vuldb.com/submit/852942"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377260"
},
{
"type": "WEB",
"url": "https://vuldb.com/vuln/377260/cti"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-9CFJ-6M9J-H4WW
Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-06 06:30In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2026-0023"
],
"database_specific": {
"cwe_ids": [
"CWE-269",
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-03-02T19:16:30Z",
"severity": "HIGH"
},
"details": "In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
"id": "GHSA-9cfj-6m9j-h4ww",
"modified": "2026-03-06T06:30:31Z",
"published": "2026-03-02T21:31:31Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0023"
},
{
"type": "WEB",
"url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/2026-03-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9CG3-R62G-92W5
Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.
{
"affected": [],
"aliases": [
"CVE-2025-12937"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-18T09:15:49Z",
"severity": "MODERATE"
},
"details": "The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027acf_flm_update_template_with_pasted_layout\u0027 function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.",
"id": "GHSA-9cg3-r62g-92w5",
"modified": "2025-11-18T09:30:52Z",
"published": "2025-11-18T09:30:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12937"
},
{
"type": "WEB",
"url": "https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CP6-9C8R-555X
Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue.
{
"affected": [],
"aliases": [
"CVE-2021-4347"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-06-07T02:15:13Z",
"severity": "MODERATE"
},
"details": "The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn\u0027t fully address the issue.",
"id": "GHSA-9cp6-9c8r-555x",
"modified": "2024-04-04T04:38:02Z",
"published": "2023-06-07T03:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4347"
},
{
"type": "WEB",
"url": "https://blog.nintechnet.com/wordpress-advanced-shipment-tracking-for-woocommerce-fixed-critical-vulnerability"
},
{
"type": "WEB",
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4174b47a-75d0-4ada-bd4d-efbaf0b1a049?source=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9CPF-P5Q4-QJRX
Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.
{
"affected": [],
"aliases": [
"CVE-2026-24611"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-17T13:20:10Z",
"severity": "CRITICAL"
},
"details": "Unauthenticated Broken Access Control in MetForm Pro \u003c= 3.9.1 versions.",
"id": "GHSA-9cpf-p5q4-qjrx",
"modified": "2026-06-17T18:35:47Z",
"published": "2026-06-17T18:35:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24611"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability-2?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-9CR9-25Q5-8PRJ
Vulnerability from github – Published: 2026-05-29 22:30 – Updated: 2026-05-29 22:30Summary
The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcp_server/adapters/cli_tools.py:
"registers four file-handling tools by default,
praisonai.rules.create,praisonai.rules.show,praisonai.rules.delete, andpraisonai.workflow.show. Each accepts a path or filename string from MCPtools/callarguments… with no containment check."
Commit 68cc9427 ("fix(security): harden MCP rules path handling…") added a _resolve_rule_path() helper and applied it to rules.create, rules.show, and rules.delete. workflow.show was left unchanged. Two adjacent handlers in the same file have the same pattern, workflow.validate and deploy.validate. Neither was mentioned in the original advisory. Both remain unchanged.
The original advisory also identified the dispatcher (server.py:281-298) as a root cause. It accepts unvalidated **kwargs from params["arguments"] with no enforcement against the tool's declared input_schema. That code is unchanged in HEAD as of commit 42221210.
Result: A single unauthenticated MCP tools/call to praisonai.workflow.show returns the contents of any file the host user can read: /etc/passwd, ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env.
Affected functionality
src/praisonai/praisonai/mcp_server/adapters/cli_tools.py:
| Lines | Tool | Bug |
|---|---|---|
| 63-73 | praisonai.workflow.show |
Returns the full contents of any file the host user can read |
| 42-61 | praisonai.workflow.validate |
Reads any path; YAML parser error messages leak file existence + content fragments |
| 415-432 | praisonai.deploy.validate |
Same pattern as workflow.validate. The config_path="deploy.yaml" default does not constrain the input. |
src/praisonai/praisonai/mcp_server/server.py:281-298, _handle_tools_call:
async def _handle_tools_call(self, params: Dict[str, Any]) -> Dict[str, Any]:
tool_name = params.get("name")
arguments = params.get("arguments", {})
...
tool = self._tool_registry.get(tool_name)
...
if asyncio.iscoroutinefunction(tool.handler):
result = await tool.handler(**arguments) # ← no schema enforcement
else:
result = tool.handler(**arguments)
Any JSON arguments the MCP client sends become a **kwargs call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.
Default deployment is exposed
src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91:
hostdefaults to127.0.0.1, which is still reachable from any local process or container neighbour on loopback.api_keydefaults toNone. The auth check athttp_stream.py:192-198is gated onif self.api_key:, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.- The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).
Other file-read sinks reachable via the same dispatcher
These were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to cli_tools.py:
mcp_server/adapters/capabilities.py:19-28,praisonai.audio.transcribe(file_path). Opens any host file and ships it to OpenAI Whisper.mcp_server/adapters/extended_capabilities.py:47-62,praisonai.files.create(file_path). Uploads any host file to OpenAI Files. A follow-up call topraisonai.files.content(file_id)(extended_capabilities.py:103-113) returns the bytes.mcp_server/adapters/extended_capabilities.py:243-258,praisonai.ocr_extract(image_path). Opens any image, returns OCR text.
The three handlers in cli_tools.py are the most direct primitives, since they echo the file content back without an OpenAI round-trip.
Proof of Concept
Layout
PraisonAI/
└── poc/
├── start_mcp_server.sh ← starts the real MCP server
├── run_mcp_poc_video.sh ← runs the attack with curl
├── venv/
└── output/
├── mcp_server_run.log
├── mcp_attacker_run.log
└── synthetic_credentials.txt (PoC-only fake creds)
start_mcp_server.sh run_mcp_poc_video.sh
The server starter runs the real MCPServer class with register_cli_tools(), same code path praisonai mcp serve --transport http-stream uses. No mocks.
How to reproduce
Terminal 1, start the server:
cd PraisonAI
bash poc/start_mcp_server.sh
Boots MCPServer on 127.0.0.1:8766/mcp with no auth, matching the documented default api_key=None.
Terminal 2, run the attack:
cd PraisonAI
bash poc/run_mcp_poc_video.sh
Six numbered steps. Each one prints the action, runs one curl, prints the JSON-RPC response.
workflow.validate leaks /etc/hosts:
{ "result": { "content": [{ "type": "text",
"text": "YAML error: while scanning for the next token\nfound character '\\t' that cannot start any token\n in \"/etc/hosts\", line 7, column 10" }] } }
The parser error message confirms the file exists and includes a fragment of its content.
deploy.validate leaks ~/.ssh/known_hosts:
{ "result": { "content": [{ "type": "text",
"text": "Error: expected '<document start>', but found '<scalar>'\n in \"/Users/<victim>/.ssh/known_hosts\", line 1, column 13" }] } }
workflow.show exfiltrates a credential file:
{ "result": { "content": [{ "type": "text",
"text": "# AWS-style credentials (SYNTHETIC, for PoC only)\n[default]\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\n\n# .env-style secrets\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\nOPENAI_API_KEY=sk-FAKE-FOR-POC\n" }] } }
The PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer's real secrets. The same call reads ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env if you point it there.
https://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a
Impact
- Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project
.envfiles,~/.netrc,~/.docker/config.json, browser cookie databases, and the system password file. - No authentication required. The default is
api_key=None(http_stream.py:91). The auth check athttp_stream.py:192-198is wrapped inif self.api_key:, so it does not run when no key is configured. - No operator misconfiguration required. This is the documented default.
- The original advisory's exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same
tools/calland returning the response. No operator click is needed beyond "summarise this page".
The original advisory was Critical because the write primitive (rules.create) chained to RCE through .pth injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.
Suggested fix
There are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.
1. Enforce tool.input_schema in the dispatcher
mcp_server/server.py:281-298. The schemas are already built reflectively from each handler's signature in registry.py:320-376. Validate arguments against the registered schema before calling tool.handler(**arguments) and reject anything that does not match. This covers workflow.show, workflow.validate, deploy.validate, audio.transcribe, files.create, ocr_extract, and any handler added later.
2. Per-handler containment
This is the same shape as the existing _resolve_rule_path() helper added in commit 68cc9427:
# cli_tools.py
def _resolve_workflow_path(file_path: str) -> Path:
"""Restrict workflow file_path to an allowed root."""
if not isinstance(file_path, str) or not file_path:
raise ValueError("file_path must be a non-empty string")
if "\x00" in file_path or file_path.startswith("~"):
raise ValueError(f"invalid file_path: {file_path!r}")
workflows_root = Path(os.path.expanduser("~/.praison/workflows")).resolve()
workflows_root.mkdir(parents=True, exist_ok=True)
candidate = (workflows_root / file_path).resolve()
try:
candidate.relative_to(workflows_root)
except ValueError:
raise ValueError(f"invalid file_path: {file_path!r}")
return candidate
Apply the same helper to:
workflow_show(file_path)andworkflow_validate(file_path). Restrict to a workflow root.deploy_validate(config_path). Restrict to a deploy-config root or an explicit allowlist.- The
default="deploy.yaml"fallback resolves into the user's current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.6.39"
},
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.6.40"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-47394"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-22",
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-29T22:30:58Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\n\nThe fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`:\n\n\u003e \"registers four file-handling tools by default, `praisonai.rules.create`, `praisonai.rules.show`, `praisonai.rules.delete`, **and `praisonai.workflow.show`**. Each accepts a path or filename string from MCP `tools/call` arguments\u2026 **with no containment check**.\"\n\nCommit `68cc9427` (\"fix(security): harden MCP rules path handling\u2026\") added a `_resolve_rule_path()` helper and applied it to `rules.create`, `rules.show`, and `rules.delete`. `workflow.show` was left unchanged. Two adjacent handlers in the same file have the same pattern, `workflow.validate` and `deploy.validate`. Neither was mentioned in the original advisory. Both remain unchanged.\n\nThe original advisory also identified the dispatcher (`server.py:281-298`) as a root cause. It accepts unvalidated `**kwargs` from `params[\"arguments\"]` with no enforcement against the tool\u0027s declared `input_schema`. That code is unchanged in HEAD as of commit `42221210`.\n\n**Result**: A single unauthenticated MCP `tools/call` to `praisonai.workflow.show` returns the contents of any file the host user can read: `/etc/passwd`, `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env`.\n\n## Affected functionality\n\n`src/praisonai/praisonai/mcp_server/adapters/cli_tools.py`:\n\n| Lines | Tool | Bug |\n|-------|------|-----|\n| 63-73 | `praisonai.workflow.show` | Returns the full contents of any file the host user can read |\n| 42-61 | `praisonai.workflow.validate` | Reads any path; YAML parser error messages leak file existence + content fragments |\n| 415-432 | `praisonai.deploy.validate` | Same pattern as `workflow.validate`. The `config_path=\"deploy.yaml\"` default does not constrain the input. |\n\n`src/praisonai/praisonai/mcp_server/server.py:281-298`, `_handle_tools_call`:\n\n```python\nasync def _handle_tools_call(self, params: Dict[str, Any]) -\u003e Dict[str, Any]:\n tool_name = params.get(\"name\")\n arguments = params.get(\"arguments\", {})\n ...\n tool = self._tool_registry.get(tool_name)\n ...\n if asyncio.iscoroutinefunction(tool.handler):\n result = await tool.handler(**arguments) # \u2190 no schema enforcement\n else:\n result = tool.handler(**arguments)\n```\n\nAny JSON arguments the MCP client sends become a `**kwargs` call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.\n\n## Default deployment is exposed\n\n`src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91`:\n\n- `host` defaults to `127.0.0.1`, which is still reachable from any local process or container neighbour on loopback.\n- `api_key` defaults to `None`. The auth check at `http_stream.py:192-198` is gated on `if self.api_key:`, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.\n- The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).\n\n## Other file-read sinks reachable via the same dispatcher\n\nThese were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to `cli_tools.py`:\n\n- `mcp_server/adapters/capabilities.py:19-28`, `praisonai.audio.transcribe(file_path)`. Opens any host file and ships it to OpenAI Whisper.\n- `mcp_server/adapters/extended_capabilities.py:47-62`, `praisonai.files.create(file_path)`. Uploads any host file to OpenAI Files. A follow-up call to `praisonai.files.content(file_id)` (`extended_capabilities.py:103-113`) returns the bytes.\n- `mcp_server/adapters/extended_capabilities.py:243-258`, `praisonai.ocr_extract(image_path)`. Opens any image, returns OCR text.\n\nThe three handlers in `cli_tools.py` are the most direct primitives, since they echo the file content back without an OpenAI round-trip.\n\n## Proof of Concept\n\n### Layout\n```\nPraisonAI/\n\u2514\u2500\u2500 poc/\n \u251c\u2500\u2500 start_mcp_server.sh \u2190 starts the real MCP server\n \u251c\u2500\u2500 run_mcp_poc_video.sh \u2190 runs the attack with curl\n \u251c\u2500\u2500 venv/ \n \u2514\u2500\u2500 output/\n \u251c\u2500\u2500 mcp_server_run.log\n \u251c\u2500\u2500 mcp_attacker_run.log\n \u2514\u2500\u2500 synthetic_credentials.txt (PoC-only fake creds)\n```\n\n[start_mcp_server.sh](https://github.com/user-attachments/files/27569524/start_mcp_server.sh)\n[run_mcp_poc_video.sh](https://github.com/user-attachments/files/27569525/run_mcp_poc_video.sh)\n\nThe server starter runs the real `MCPServer` class with `register_cli_tools()`, same code path `praisonai mcp serve --transport http-stream` uses. No mocks.\n\n### How to reproduce\n\n**Terminal 1, start the server**:\n```bash\ncd PraisonAI\nbash poc/start_mcp_server.sh\n```\nBoots `MCPServer` on `127.0.0.1:8766/mcp` with no auth, matching the documented default `api_key=None`.\n\n**Terminal 2, run the attack**:\n```bash\ncd PraisonAI\nbash poc/run_mcp_poc_video.sh\n```\nSix numbered steps. Each one prints the action, runs one `curl`, prints the JSON-RPC response.\n\n**`workflow.validate` leaks `/etc/hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n \"text\": \"YAML error: while scanning for the next token\\nfound character \u0027\\\\t\u0027 that cannot start any token\\n in \\\"/etc/hosts\\\", line 7, column 10\" }] } }\n```\nThe parser error message confirms the file exists and includes a fragment of its content.\n\n**`deploy.validate` leaks `~/.ssh/known_hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n \"text\": \"Error: expected \u0027\u003cdocument start\u003e\u0027, but found \u0027\u003cscalar\u003e\u0027\\n in \\\"/Users/\u003cvictim\u003e/.ssh/known_hosts\\\", line 1, column 13\" }] } }\n```\n\n**`workflow.show` exfiltrates a credential file:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n \"text\": \"# AWS-style credentials (SYNTHETIC, for PoC only)\\n[default]\\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\\n\\n# .env-style secrets\\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\\nOPENAI_API_KEY=sk-FAKE-FOR-POC\\n\" }] } }\n```\n\nThe PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer\u0027s real secrets. The same call reads `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env` if you point it there.\n\nhttps://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a\n\n\n## Impact\n\n- Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project `.env` files, `~/.netrc`, `~/.docker/config.json`, browser cookie databases, and the system password file.\n- No authentication required. The default is `api_key=None` (`http_stream.py:91`). The auth check at `http_stream.py:192-198` is wrapped in `if self.api_key:`, so it does not run when no key is configured.\n- No operator misconfiguration required. This is the documented default.\n- The original advisory\u0027s exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same `tools/call` and returning the response. No operator click is needed beyond \"summarise this page\".\n\nThe original advisory was Critical because the write primitive (rules.create) chained to RCE through `.pth` injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.\n\n## Suggested fix\n\nThere are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.\n\n### 1. Enforce `tool.input_schema` in the dispatcher\n\n`mcp_server/server.py:281-298`. The schemas are already built reflectively from each handler\u0027s signature in `registry.py:320-376`. Validate `arguments` against the registered schema before calling `tool.handler(**arguments)` and reject anything that does not match. This covers `workflow.show`, `workflow.validate`, `deploy.validate`, `audio.transcribe`, `files.create`, `ocr_extract`, and any handler added later.\n\n### 2. Per-handler containment\n\nThis is the same shape as the existing `_resolve_rule_path()` helper added in commit `68cc9427`:\n\n```python\n# cli_tools.py\ndef _resolve_workflow_path(file_path: str) -\u003e Path:\n \"\"\"Restrict workflow file_path to an allowed root.\"\"\"\n if not isinstance(file_path, str) or not file_path:\n raise ValueError(\"file_path must be a non-empty string\")\n if \"\\x00\" in file_path or file_path.startswith(\"~\"):\n raise ValueError(f\"invalid file_path: {file_path!r}\")\n workflows_root = Path(os.path.expanduser(\"~/.praison/workflows\")).resolve()\n workflows_root.mkdir(parents=True, exist_ok=True)\n candidate = (workflows_root / file_path).resolve()\n try:\n candidate.relative_to(workflows_root)\n except ValueError:\n raise ValueError(f\"invalid file_path: {file_path!r}\")\n return candidate\n```\n\nApply the same helper to:\n\n- `workflow_show(file_path)` and `workflow_validate(file_path)`. Restrict to a workflow root.\n- `deploy_validate(config_path)`. Restrict to a deploy-config root or an explicit allowlist.\n- The `default=\"deploy.yaml\"` fallback resolves into the user\u0027s current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.",
"id": "GHSA-9cr9-25q5-8prj",
"modified": "2026-05-29T22:30:58Z",
"published": "2026-05-29T22:30:58Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cr9-25q5-8prj"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate"
}
GHSA-9CVC-V7WM-992C
Vulnerability from github – Published: 2023-08-15 20:04 – Updated: 2023-08-15 20:04Summary
When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query.
This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is not defined.
Impact
This vulnerability does not affect developers using the @keystone-6/auth package, or any users that have written their own ui.isAccessAllowed (that is to say, you are unaffected if ui.isAccessAllowed is defined).
This vulnerability does affect developers who thought that their session strategy will, by default, enforce that adminMeta is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.
Patches
This vulnerability has been patched in @keystone-6/core version 5.5.1.
Workarounds
You can opt to write your own isAccessAllowed to work-around this vulnerability.
References
Pull request https://github.com/keystonejs/keystone/pull/8771
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@keystone-6/core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.5.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2023-40027"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-15T20:04:14Z",
"nvd_published_at": "2023-08-15T18:15:10Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query.\n\nThis is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a `session` strategy is not defined. \n\n### Impact\nThis vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, you are unaffected if `ui.isAccessAllowed` is defined).\n\nThis vulnerability does affect developers who thought that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.\n\n### Patches\nThis vulnerability has been patched in `@keystone-6/core` version `5.5.1`.\n\n### Workarounds\nYou can opt to write your own `isAccessAllowed` to work-around this vulnerability.\n\n### References\nPull request https://github.com/keystonejs/keystone/pull/8771\n",
"id": "GHSA-9cvc-v7wm-992c",
"modified": "2023-08-15T20:04:14Z",
"published": "2023-08-15T20:04:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40027"
},
{
"type": "WEB",
"url": "https://github.com/keystonejs/keystone/pull/8771"
},
{
"type": "WEB",
"url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284"
},
{
"type": "PACKAGE",
"url": "https://github.com/keystonejs/keystone"
},
{
"type": "WEB",
"url": "https://github.com/keystonejs/keystone/releases/tag/2023-08-15"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible"
}
GHSA-9CVV-766G-PPJV
Vulnerability from github – Published: 2025-12-30 12:30 – Updated: 2026-01-20 15:32Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.
{
"affected": [],
"aliases": [
"CVE-2025-69015"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T11:15:59Z",
"severity": "LOW"
},
"details": "Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through \u003c= 1.7.2.",
"id": "GHSA-9cvv-766g-ppjv",
"modified": "2026-01-20T15:32:45Z",
"published": "2025-12-30T12:30:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69015"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve"
},
{
"type": "WEB",
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-9CW4-M3WP-FF28
Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.
{
"affected": [],
"aliases": [
"CVE-2024-37203"
],
"database_specific": {
"cwe_ids": [
"CWE-862"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-11-01T15:15:20Z",
"severity": "MODERATE"
},
"details": "Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.",
"id": "GHSA-9cw4-m3wp-ff28",
"modified": "2024-11-01T15:31:57Z",
"published": "2024-11-01T15:31:57Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37203"
},
{
"type": "WEB",
"url": "https://patchstack.com/database/vulnerability/laybuy-gateway-for-woocommerce/wordpress-laybuy-payment-extension-for-woocommerce-plugin-5-3-9-broken-access-control-vulnerability?_s_id=cve"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
- Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
- Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].
Mitigation MIT-4.4
Strategy: Libraries or Frameworks
- Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
- For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
- For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.