CVE-2026-61427: Improper Input Validation in MervinPraison PraisonAI
PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream' without an API key, an unauthenticated client (no Authorization header, and no Origin header, which is also permitted) can initialize a session, enumerate the available tools (tools/list), and invoke tools (tools/call). Additionally, the dispatcher forwards tool-call arguments to handlers without validating them against the advertised inputSchema. The server binds to 127.0.0.1 by default, so remote exploitation requires the operator to bind to a network-accessible address (e.g., --host 0.0.0.0).
AI Analysis
Technical Summary
CVE-2026-61427 describes an improper input validation and authentication bypass vulnerability in MervinPraison's PraisonAI prior to version 4.6.78. The MCP HTTP-stream transport is exposed without authentication when no API key is set, allowing unauthenticated clients to interact with the server's tool interfaces. Additionally, the dispatcher forwards tool-call arguments without validating them against the input schema, potentially allowing malformed inputs. By default, the server binds to 127.0.0.1, limiting exposure to local access unless explicitly configured to bind to a network-accessible interface.
Potential Impact
An unauthenticated attacker on the local machine or on the network (if the server is bound to a public interface) can initialize sessions, enumerate available tools, and invoke them with unvalidated input arguments. This could lead to unauthorized use of tools and potential exploitation due to lack of input validation. However, remote exploitation requires the server to be bound to a network-accessible address, which is not the default configuration.
Mitigation Recommendations
No official fix or patch is currently confirmed for this vulnerability. Operators should ensure that an API key is configured to enforce Authorization/Bearer checks on the MCP HTTP-stream transport. Additionally, avoid binding the server to network-accessible addresses unless necessary. Monitor vendor advisories for updates or official patches addressing this issue.
CVE-2026-61427: Improper Input Validation in MervinPraison PraisonAI
Description
PraisonAI before 4.6.78 exposes the MCP HTTP-stream transport without authentication by default: the CLI --api-key option defaults to None, and the server only enforces Authorization/Bearer checks when an API key is configured. When an operator runs 'praisonai mcp serve --transport http-stream' without an API key, an unauthenticated client (no Authorization header, and no Origin header, which is also permitted) can initialize a session, enumerate the available tools (tools/list), and invoke tools (tools/call). Additionally, the dispatcher forwards tool-call arguments to handlers without validating them against the advertised inputSchema. The server binds to 127.0.0.1 by default, so remote exploitation requires the operator to bind to a network-accessible address (e.g., --host 0.0.0.0).
CVSS v4.0
Score 6.9medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-61427 describes an improper input validation and authentication bypass vulnerability in MervinPraison's PraisonAI prior to version 4.6.78. The MCP HTTP-stream transport is exposed without authentication when no API key is set, allowing unauthenticated clients to interact with the server's tool interfaces. Additionally, the dispatcher forwards tool-call arguments without validating them against the input schema, potentially allowing malformed inputs. By default, the server binds to 127.0.0.1, limiting exposure to local access unless explicitly configured to bind to a network-accessible interface.
Potential Impact
An unauthenticated attacker on the local machine or on the network (if the server is bound to a public interface) can initialize sessions, enumerate available tools, and invoke them with unvalidated input arguments. This could lead to unauthorized use of tools and potential exploitation due to lack of input validation. However, remote exploitation requires the server to be bound to a network-accessible address, which is not the default configuration.
Mitigation Recommendations
No official fix or patch is currently confirmed for this vulnerability. Operators should ensure that an API key is configured to enforce Authorization/Bearer checks on the MCP HTTP-stream transport. Additionally, avoid binding the server to network-accessible addresses unless necessary. Monitor vendor advisories for updates or official patches addressing this issue.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-07-09T14:05:21.470Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a57771e68715ace43a93b81
Added to database: 07/15/2026, 12:03:42 UTC
Last enriched: 07/15/2026, 12:19:17 UTC
Last updated: 07/15/2026, 14:42:44 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.