Common Weakness Enumeration

CWE-862

Allowed-with-Review

Missing Authorization

Abstraction: Class · Status: Incomplete

The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

14624 vulnerabilities reference this CWE, most recent first.

GHSA-9C7X-GVXW-8JHQ

Vulnerability from github – Published: 2025-01-02 15:31 – Updated: 2026-04-23 15:34
VLAI
Details

Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-47778"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-01-02T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in LuckyWP LuckyWP Scripts Control allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LuckyWP Scripts Control: from n/a through 1.2.1.",
  "id": "GHSA-9c7x-gvxw-8jhq",
  "modified": "2026-04-23T15:34:26Z",
  "published": "2025-01-02T15:31:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-47778"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/luckywp-scripts-control/vulnerability/wordpress-luckywp-scripts-control-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9C82-3F2R-V942

Vulnerability from github – Published: 2026-07-10 03:31 – Updated: 2026-07-10 03:31
VLAI
Details

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-15320"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-10T03:16:20Z",
    "severity": "LOW"
  },
  "details": "A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. This vulnerability affects the function rt.ReloadConfig of the file pkg/channels/pico/pico.go. Performing a manipulation of the argument message.send results in missing authorization. It is possible to initiate the attack remotely. The exploit is now public and may be used. The reported GitHub issue was closed automatically due to inactivity.",
  "id": "GHSA-9c82-3f2r-v942",
  "modified": "2026-07-10T03:31:30Z",
  "published": "2026-07-10T03:31:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-15320"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sipeed/picoclaw/issues/3071"
    },
    {
      "type": "WEB",
      "url": "https://github.com/sipeed/picoclaw"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/cve/CVE-2026-15320"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/submit/852942"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377260"
    },
    {
      "type": "WEB",
      "url": "https://vuldb.com/vuln/377260/cti"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-9CFJ-6M9J-H4WW

Vulnerability from github – Published: 2026-03-02 21:31 – Updated: 2026-03-06 06:30
VLAI
Details

In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0023"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-03-02T19:16:30Z",
    "severity": "HIGH"
  },
  "details": "In createSessionInternal of PackageInstallerService.java, there is a possible way for an app to update its ownership due to a missing permission check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-9cfj-6m9j-h4ww",
  "modified": "2026-03-06T06:30:31Z",
  "published": "2026-03-02T21:31:31Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0023"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/2026/2026-03-01"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2026-03-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CG3-R62G-92W5

Vulnerability from github – Published: 2025-11-18 09:30 – Updated: 2025-11-18 09:30
VLAI
Details

The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'acf_flm_update_template_with_pasted_layout' function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12937"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-18T09:15:49Z",
    "severity": "MODERATE"
  },
  "details": "The ACF Flexible Layouts Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the \u0027acf_flm_update_template_with_pasted_layout\u0027 function in all versions up to, and including, 1.1.6. This makes it possible for unauthenticated attackers to update custom field values on individual posts and pages.",
  "id": "GHSA-9cg3-r62g-92w5",
  "modified": "2025-11-18T09:30:52Z",
  "published": "2025-11-18T09:30:52Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12937"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/browser/acf-flexible-layouts-manager/trunk/includes/ajax/ajax-paste.php#L4"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/915cce97-8305-4249-b2d3-c4da2f59a95a?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CP6-9C8R-555X

Vulnerability from github – Published: 2023-06-07 03:30 – Updated: 2024-04-04 04:38
VLAI
Details

The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn't fully address the issue.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-4347"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-06-07T02:15:13Z",
    "severity": "MODERATE"
  },
  "details": "The function update_shipment_status_email_status_fun in the plugin Advanced Shipment Tracking for WooCommerce in versions up to 3.2.6 is vulnerable to authenticated arbitrary options update. The function allows attackers (including those at customer level) to update any WordPress option in the database. Version 3.2.5 was initially released as a fix, but doesn\u0027t fully address the issue.",
  "id": "GHSA-9cp6-9c8r-555x",
  "modified": "2024-04-04T04:38:02Z",
  "published": "2023-06-07T03:30:22Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-4347"
    },
    {
      "type": "WEB",
      "url": "https://blog.nintechnet.com/wordpress-advanced-shipment-tracking-for-woocommerce-fixed-critical-vulnerability"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4174b47a-75d0-4ada-bd4d-efbaf0b1a049?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CPF-P5Q4-QJRX

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

Unauthenticated Broken Access Control in MetForm Pro <= 3.9.1 versions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-24611"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:20:10Z",
    "severity": "CRITICAL"
  },
  "details": "Unauthenticated Broken Access Control in MetForm Pro \u003c= 3.9.1 versions.",
  "id": "GHSA-9cpf-p5q4-qjrx",
  "modified": "2026-06-17T18:35:47Z",
  "published": "2026-06-17T18:35:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24611"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/metform-pro/vulnerability/wordpress-metform-pro-plugin-3-9-1-broken-access-control-vulnerability-2?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CR9-25Q5-8PRJ

Vulnerability from github – Published: 2026-05-29 22:30 – Updated: 2026-05-29 22:30
VLAI
Summary
PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate
Details

Summary

The fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in mcp_server/adapters/cli_tools.py:

"registers four file-handling tools by default, praisonai.rules.create, praisonai.rules.show, praisonai.rules.delete, and praisonai.workflow.show. Each accepts a path or filename string from MCP tools/call arguments… with no containment check."

Commit 68cc9427 ("fix(security): harden MCP rules path handling…") added a _resolve_rule_path() helper and applied it to rules.create, rules.show, and rules.delete. workflow.show was left unchanged. Two adjacent handlers in the same file have the same pattern, workflow.validate and deploy.validate. Neither was mentioned in the original advisory. Both remain unchanged.

The original advisory also identified the dispatcher (server.py:281-298) as a root cause. It accepts unvalidated **kwargs from params["arguments"] with no enforcement against the tool's declared input_schema. That code is unchanged in HEAD as of commit 42221210.

Result: A single unauthenticated MCP tools/call to praisonai.workflow.show returns the contents of any file the host user can read: /etc/passwd, ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env.

Affected functionality

src/praisonai/praisonai/mcp_server/adapters/cli_tools.py:

Lines Tool Bug
63-73 praisonai.workflow.show Returns the full contents of any file the host user can read
42-61 praisonai.workflow.validate Reads any path; YAML parser error messages leak file existence + content fragments
415-432 praisonai.deploy.validate Same pattern as workflow.validate. The config_path="deploy.yaml" default does not constrain the input.

src/praisonai/praisonai/mcp_server/server.py:281-298, _handle_tools_call:

async def _handle_tools_call(self, params: Dict[str, Any]) -> Dict[str, Any]:
    tool_name = params.get("name")
    arguments = params.get("arguments", {})
    ...
    tool = self._tool_registry.get(tool_name)
    ...
    if asyncio.iscoroutinefunction(tool.handler):
        result = await tool.handler(**arguments)        # ← no schema enforcement
    else:
        result = tool.handler(**arguments)

Any JSON arguments the MCP client sends become a **kwargs call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.

Default deployment is exposed

src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91:

  • host defaults to 127.0.0.1, which is still reachable from any local process or container neighbour on loopback.
  • api_key defaults to None. The auth check at http_stream.py:192-198 is gated on if self.api_key:, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.
  • The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).

Other file-read sinks reachable via the same dispatcher

These were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to cli_tools.py:

  • mcp_server/adapters/capabilities.py:19-28, praisonai.audio.transcribe(file_path). Opens any host file and ships it to OpenAI Whisper.
  • mcp_server/adapters/extended_capabilities.py:47-62, praisonai.files.create(file_path). Uploads any host file to OpenAI Files. A follow-up call to praisonai.files.content(file_id) (extended_capabilities.py:103-113) returns the bytes.
  • mcp_server/adapters/extended_capabilities.py:243-258, praisonai.ocr_extract(image_path). Opens any image, returns OCR text.

The three handlers in cli_tools.py are the most direct primitives, since they echo the file content back without an OpenAI round-trip.

Proof of Concept

Layout

PraisonAI/
└── poc/
    ├── start_mcp_server.sh         ← starts the real MCP server
    ├── run_mcp_poc_video.sh        ← runs the attack with curl
    ├── venv/                       
    └── output/
        ├── mcp_server_run.log
        ├── mcp_attacker_run.log
        └── synthetic_credentials.txt   (PoC-only fake creds)

start_mcp_server.sh run_mcp_poc_video.sh

The server starter runs the real MCPServer class with register_cli_tools(), same code path praisonai mcp serve --transport http-stream uses. No mocks.

How to reproduce

Terminal 1, start the server:

cd PraisonAI
bash poc/start_mcp_server.sh

Boots MCPServer on 127.0.0.1:8766/mcp with no auth, matching the documented default api_key=None.

Terminal 2, run the attack:

cd PraisonAI
bash poc/run_mcp_poc_video.sh

Six numbered steps. Each one prints the action, runs one curl, prints the JSON-RPC response.

workflow.validate leaks /etc/hosts:

{ "result": { "content": [{ "type": "text",
  "text": "YAML error: while scanning for the next token\nfound character '\\t' that cannot start any token\n  in \"/etc/hosts\", line 7, column 10" }] } }

The parser error message confirms the file exists and includes a fragment of its content.

deploy.validate leaks ~/.ssh/known_hosts:

{ "result": { "content": [{ "type": "text",
  "text": "Error: expected '<document start>', but found '<scalar>'\n  in \"/Users/<victim>/.ssh/known_hosts\", line 1, column 13" }] } }

workflow.show exfiltrates a credential file:

{ "result": { "content": [{ "type": "text",
  "text": "# AWS-style credentials (SYNTHETIC, for PoC only)\n[default]\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\n\n# .env-style secrets\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\nOPENAI_API_KEY=sk-FAKE-FOR-POC\n" }] } }

The PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer's real secrets. The same call reads ~/.ssh/id_rsa, ~/.aws/credentials, or any project .env if you point it there.

https://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a

Impact

  • Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project .env files, ~/.netrc, ~/.docker/config.json, browser cookie databases, and the system password file.
  • No authentication required. The default is api_key=None (http_stream.py:91). The auth check at http_stream.py:192-198 is wrapped in if self.api_key:, so it does not run when no key is configured.
  • No operator misconfiguration required. This is the documented default.
  • The original advisory's exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same tools/call and returning the response. No operator click is needed beyond "summarise this page".

The original advisory was Critical because the write primitive (rules.create) chained to RCE through .pth injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.

Suggested fix

There are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.

1. Enforce tool.input_schema in the dispatcher

mcp_server/server.py:281-298. The schemas are already built reflectively from each handler's signature in registry.py:320-376. Validate arguments against the registered schema before calling tool.handler(**arguments) and reject anything that does not match. This covers workflow.show, workflow.validate, deploy.validate, audio.transcribe, files.create, ocr_extract, and any handler added later.

2. Per-handler containment

This is the same shape as the existing _resolve_rule_path() helper added in commit 68cc9427:

# cli_tools.py
def _resolve_workflow_path(file_path: str) -> Path:
    """Restrict workflow file_path to an allowed root."""
    if not isinstance(file_path, str) or not file_path:
        raise ValueError("file_path must be a non-empty string")
    if "\x00" in file_path or file_path.startswith("~"):
        raise ValueError(f"invalid file_path: {file_path!r}")
    workflows_root = Path(os.path.expanduser("~/.praison/workflows")).resolve()
    workflows_root.mkdir(parents=True, exist_ok=True)
    candidate = (workflows_root / file_path).resolve()
    try:
        candidate.relative_to(workflows_root)
    except ValueError:
        raise ValueError(f"invalid file_path: {file_path!r}")
    return candidate

Apply the same helper to:

  • workflow_show(file_path) and workflow_validate(file_path). Restrict to a workflow root.
  • deploy_validate(config_path). Restrict to a deploy-config root or an explicit allowlist.
  • The default="deploy.yaml" fallback resolves into the user's current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.6.39"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "PraisonAI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.6.40"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-47394"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-22",
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-29T22:30:58Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "## Summary\n\nThe fix for GHSA-9mqq-jqxf-grvw / CVE-2026-44336 is incomplete. The original advisory description named four vulnerable handlers in `mcp_server/adapters/cli_tools.py`:\n\n\u003e \"registers four file-handling tools by default, `praisonai.rules.create`, `praisonai.rules.show`, `praisonai.rules.delete`, **and `praisonai.workflow.show`**. Each accepts a path or filename string from MCP `tools/call` arguments\u2026 **with no containment check**.\"\n\nCommit `68cc9427` (\"fix(security): harden MCP rules path handling\u2026\") added a `_resolve_rule_path()` helper and applied it to `rules.create`, `rules.show`, and `rules.delete`. `workflow.show` was left unchanged. Two adjacent handlers in the same file have the same pattern, `workflow.validate` and `deploy.validate`. Neither was mentioned in the original advisory. Both remain unchanged.\n\nThe original advisory also identified the dispatcher (`server.py:281-298`) as a root cause. It accepts unvalidated `**kwargs` from `params[\"arguments\"]` with no enforcement against the tool\u0027s declared `input_schema`. That code is unchanged in HEAD as of commit `42221210`.\n\n**Result**: A single unauthenticated MCP `tools/call` to `praisonai.workflow.show` returns the contents of any file the host user can read: `/etc/passwd`, `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env`.\n\n## Affected functionality\n\n`src/praisonai/praisonai/mcp_server/adapters/cli_tools.py`:\n\n| Lines | Tool | Bug |\n|-------|------|-----|\n| 63-73 | `praisonai.workflow.show` | Returns the full contents of any file the host user can read |\n| 42-61 | `praisonai.workflow.validate` | Reads any path; YAML parser error messages leak file existence + content fragments |\n| 415-432 | `praisonai.deploy.validate` | Same pattern as `workflow.validate`. The `config_path=\"deploy.yaml\"` default does not constrain the input. |\n\n`src/praisonai/praisonai/mcp_server/server.py:281-298`, `_handle_tools_call`:\n\n```python\nasync def _handle_tools_call(self, params: Dict[str, Any]) -\u003e Dict[str, Any]:\n    tool_name = params.get(\"name\")\n    arguments = params.get(\"arguments\", {})\n    ...\n    tool = self._tool_registry.get(tool_name)\n    ...\n    if asyncio.iscoroutinefunction(tool.handler):\n        result = await tool.handler(**arguments)        # \u2190 no schema enforcement\n    else:\n        result = tool.handler(**arguments)\n```\n\nAny JSON arguments the MCP client sends become a `**kwargs` call to the handler. The original advisory pointed at this code path as the root cause. The May 3 patch did not change it.\n\n## Default deployment is exposed\n\n`src/praisonai/praisonai/mcp_server/transports/http_stream.py:38-91`:\n\n- `host` defaults to `127.0.0.1`, which is still reachable from any local process or container neighbour on loopback.\n- `api_key` defaults to `None`. The auth check at `http_stream.py:192-198` is gated on `if self.api_key:`, so it is skipped when no key is configured. There is no env var or config switch that turns auth on by default.\n- The same handlers are also reachable on the stdio transport, which is the exploitation model the original advisory was written around (Claude Desktop, Cursor, Continue.dev, Claude Code).\n\n## Other file-read sinks reachable via the same dispatcher\n\nThese were not named in the original advisory. They confirm the bug is dispatcher-wide and not limited to `cli_tools.py`:\n\n- `mcp_server/adapters/capabilities.py:19-28`, `praisonai.audio.transcribe(file_path)`. Opens any host file and ships it to OpenAI Whisper.\n- `mcp_server/adapters/extended_capabilities.py:47-62`, `praisonai.files.create(file_path)`. Uploads any host file to OpenAI Files. A follow-up call to `praisonai.files.content(file_id)` (`extended_capabilities.py:103-113`) returns the bytes.\n- `mcp_server/adapters/extended_capabilities.py:243-258`, `praisonai.ocr_extract(image_path)`. Opens any image, returns OCR text.\n\nThe three handlers in `cli_tools.py` are the most direct primitives, since they echo the file content back without an OpenAI round-trip.\n\n## Proof of Concept\n\n### Layout\n```\nPraisonAI/\n\u2514\u2500\u2500 poc/\n    \u251c\u2500\u2500 start_mcp_server.sh         \u2190 starts the real MCP server\n    \u251c\u2500\u2500 run_mcp_poc_video.sh        \u2190 runs the attack with curl\n    \u251c\u2500\u2500 venv/                       \n    \u2514\u2500\u2500 output/\n        \u251c\u2500\u2500 mcp_server_run.log\n        \u251c\u2500\u2500 mcp_attacker_run.log\n        \u2514\u2500\u2500 synthetic_credentials.txt   (PoC-only fake creds)\n```\n\n[start_mcp_server.sh](https://github.com/user-attachments/files/27569524/start_mcp_server.sh)\n[run_mcp_poc_video.sh](https://github.com/user-attachments/files/27569525/run_mcp_poc_video.sh)\n\nThe server starter runs the real `MCPServer` class with `register_cli_tools()`, same code path `praisonai mcp serve --transport http-stream` uses. No mocks.\n\n### How to reproduce\n\n**Terminal 1, start the server**:\n```bash\ncd PraisonAI\nbash poc/start_mcp_server.sh\n```\nBoots `MCPServer` on `127.0.0.1:8766/mcp` with no auth, matching the documented default `api_key=None`.\n\n**Terminal 2, run the attack**:\n```bash\ncd PraisonAI\nbash poc/run_mcp_poc_video.sh\n```\nSix numbered steps. Each one prints the action, runs one `curl`, prints the JSON-RPC response.\n\n**`workflow.validate` leaks `/etc/hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"YAML error: while scanning for the next token\\nfound character \u0027\\\\t\u0027 that cannot start any token\\n  in \\\"/etc/hosts\\\", line 7, column 10\" }] } }\n```\nThe parser error message confirms the file exists and includes a fragment of its content.\n\n**`deploy.validate` leaks `~/.ssh/known_hosts`:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"Error: expected \u0027\u003cdocument start\u003e\u0027, but found \u0027\u003cscalar\u003e\u0027\\n  in \\\"/Users/\u003cvictim\u003e/.ssh/known_hosts\\\", line 1, column 13\" }] } }\n```\n\n**`workflow.show` exfiltrates a credential file:**\n```json\n{ \"result\": { \"content\": [{ \"type\": \"text\",\n  \"text\": \"# AWS-style credentials (SYNTHETIC, for PoC only)\\n[default]\\naws_access_key_id = AKIA-FAKE-EXFIL-KEY-FOR-POC\\naws_secret_access_key = synthetic-secret-do-not-actually-exist-12345\\n\\n# .env-style secrets\\nDATABASE_URL=postgres://app:hunter2@db.internal/prod\\nSLACK_BOT_TOKEN=xoxb-FAKE-TOKEN-for-poc-only\\nOPENAI_API_KEY=sk-FAKE-FOR-POC\\n\" }] } }\n```\n\nThe PoC writes its own synthetic credential file so the demonstration does not depend on the reviewer\u0027s real secrets. The same call reads `~/.ssh/id_rsa`, `~/.aws/credentials`, or any project `.env` if you point it there.\n\nhttps://github.com/user-attachments/assets/09511e66-6a52-4fe3-a303-91d1f99cd27a\n\n\n## Impact\n\n- Confidentiality, High. Any file the praisonai user can read becomes available to the MCP caller. Typical targets are host SSH keys, cloud credentials, API tokens, project `.env` files, `~/.netrc`, `~/.docker/config.json`, browser cookie databases, and the system password file.\n- No authentication required. The default is `api_key=None` (`http_stream.py:91`). The auth check at `http_stream.py:192-198` is wrapped in `if self.api_key:`, so it does not run when no key is configured.\n- No operator misconfiguration required. This is the documented default.\n- The original advisory\u0027s exploitation model still applies. An MCP-connected LLM whose context contains attacker-controlled web pages, documents, or emails can be steered into issuing the same `tools/call` and returning the response. No operator click is needed beyond \"summarise this page\".\n\nThe original advisory was Critical because the write primitive (rules.create) chained to RCE through `.pth` injection. This finding is the read half of the same shape. Read alone is enough to take SSH keys, cloud credentials, and tokens, which is usually how the rest of the host gets compromised through credential reuse.\n\n## Suggested fix\n\nThere are two ways to fix this. Doing both is fine. The dispatcher fix is preferred because it closes the same class of bug for every handler that takes a path-shaped argument, including the OpenAI-backed ones called out earlier.\n\n### 1. Enforce `tool.input_schema` in the dispatcher\n\n`mcp_server/server.py:281-298`. The schemas are already built reflectively from each handler\u0027s signature in `registry.py:320-376`. Validate `arguments` against the registered schema before calling `tool.handler(**arguments)` and reject anything that does not match. This covers `workflow.show`, `workflow.validate`, `deploy.validate`, `audio.transcribe`, `files.create`, `ocr_extract`, and any handler added later.\n\n### 2. Per-handler containment\n\nThis is the same shape as the existing `_resolve_rule_path()` helper added in commit `68cc9427`:\n\n```python\n# cli_tools.py\ndef _resolve_workflow_path(file_path: str) -\u003e Path:\n    \"\"\"Restrict workflow file_path to an allowed root.\"\"\"\n    if not isinstance(file_path, str) or not file_path:\n        raise ValueError(\"file_path must be a non-empty string\")\n    if \"\\x00\" in file_path or file_path.startswith(\"~\"):\n        raise ValueError(f\"invalid file_path: {file_path!r}\")\n    workflows_root = Path(os.path.expanduser(\"~/.praison/workflows\")).resolve()\n    workflows_root.mkdir(parents=True, exist_ok=True)\n    candidate = (workflows_root / file_path).resolve()\n    try:\n        candidate.relative_to(workflows_root)\n    except ValueError:\n        raise ValueError(f\"invalid file_path: {file_path!r}\")\n    return candidate\n```\n\nApply the same helper to:\n\n- `workflow_show(file_path)` and `workflow_validate(file_path)`. Restrict to a workflow root.\n- `deploy_validate(config_path)`. Restrict to a deploy-config root or an explicit allowlist.\n- The `default=\"deploy.yaml\"` fallback resolves into the user\u0027s current working directory. Containment is what fixes the bug, but removing that default also makes prompt-injection chains harder.",
  "id": "GHSA-9cr9-25q5-8prj",
  "modified": "2026-05-29T22:30:58Z",
  "published": "2026-05-29T22:30:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cr9-25q5-8prj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/MervinPraison/PraisonAI"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "PraisonAI vulnerable to unauthenticated arbitrary file read via MCP workflow.show, workflow.validate, deploy.validate"
}

GHSA-9CVC-V7WM-992C

Vulnerability from github – Published: 2023-08-15 20:04 – Updated: 2023-08-15 20:04
VLAI
Summary
When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible
Details

Summary

When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query.

This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is not defined.

Impact

This vulnerability does not affect developers using the @keystone-6/auth package, or any users that have written their own ui.isAccessAllowed (that is to say, you are unaffected if ui.isAccessAllowed is defined).

This vulnerability does affect developers who thought that their session strategy will, by default, enforce that adminMeta is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.

Patches

This vulnerability has been patched in @keystone-6/core version 5.5.1.

Workarounds

You can opt to write your own isAccessAllowed to work-around this vulnerability.

References

Pull request https://github.com/keystonejs/keystone/pull/8771

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@keystone-6/core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.5.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-40027"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-15T20:04:14Z",
    "nvd_published_at": "2023-08-15T18:15:10Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nWhen `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query.\n\nThis is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a `session` strategy is not defined. \n\n### Impact\nThis vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, you are unaffected if `ui.isAccessAllowed` is defined).\n\nThis vulnerability does affect developers who thought that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.\n\n### Patches\nThis vulnerability has been patched in `@keystone-6/core` version `5.5.1`.\n\n### Workarounds\nYou can opt to write your own `isAccessAllowed` to work-around this vulnerability.\n\n### References\nPull request https://github.com/keystonejs/keystone/pull/8771\n",
  "id": "GHSA-9cvc-v7wm-992c",
  "modified": "2023-08-15T20:04:14Z",
  "published": "2023-08-15T20:04:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-40027"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/pull/8771"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/keystonejs/keystone"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/releases/tag/2023-08-15"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible"
}

GHSA-9CVV-766G-PPJV

Vulnerability from github – Published: 2025-12-30 12:30 – Updated: 2026-01-20 15:32
VLAI
Details

Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through <= 1.7.2.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-69015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-12-30T11:15:59Z",
    "severity": "LOW"
  },
  "details": "Missing Authorization vulnerability in Automattic Crowdsignal Forms crowdsignal-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Crowdsignal Forms: from n/a through \u003c= 1.7.2.",
  "id": "GHSA-9cvv-766g-ppjv",
  "modified": "2026-01-20T15:32:45Z",
  "published": "2025-12-30T12:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69015"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://vdp.patchstack.com/database/Wordpress/Plugin/crowdsignal-forms/vulnerability/wordpress-crowdsignal-forms-plugin-1-7-2-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-9CW4-M3WP-FF28

Vulnerability from github – Published: 2024-11-01 15:31 – Updated: 2024-11-01 15:31
VLAI
Details

Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-37203"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-11-01T15:15:20Z",
    "severity": "MODERATE"
  },
  "details": "Missing Authorization vulnerability in Laybuy Laybuy Payment Extension for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Laybuy Payment Extension for WooCommerce: from n/a through 5.3.9.",
  "id": "GHSA-9cw4-m3wp-ff28",
  "modified": "2024-11-01T15:31:57Z",
  "published": "2024-11-01T15:31:57Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-37203"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/laybuy-gateway-for-woocommerce/wordpress-laybuy-payment-extension-for-woocommerce-plugin-5-3-9-broken-access-control-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design
  • Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) [REF-229] to enforce the roles at the appropriate boundaries.
  • Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
Mitigation
Architecture and Design

Ensure that access control checks are performed related to the business logic. These checks may be different than the access control checks that are applied to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor [REF-7].

Mitigation MIT-4.4
Architecture and Design

Strategy: Libraries or Frameworks

  • Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid.
  • For example, consider using authorization frameworks such as the JAAS Authorization Framework [REF-233] and the OWASP ESAPI Access Control feature [REF-45].
Mitigation
Architecture and Design
  • For web applications, make sure that the access control mechanism is enforced correctly at the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
  • One way to do this is to ensure that all pages containing sensitive information are not cached, and that all such pages restrict access to requests that are accompanied by an active and authenticated session token associated with a user who has the required permissions to access that page.
Mitigation
System Configuration Installation

Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. Use a "default deny" policy when defining these ACLs.

CAPEC-665: Exploitation of Thunderbolt Protection Flaws

An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.