al-ice.ai

PraisonAI CVE-2026-47408 — Unauthenticated A2A eval() RCE

AI CVEs by al-ice.ai Editorial

AI relevance: The vulnerability lives in an official A2A (agent-to-agent) example server that ships with PraisonAI, a popular multi-agent framework — any internet-facing deployment lets unauthenticated callers reach LLM-driven eval() for arbitrary code execution.

  • CVE-2026-47408 was published on GitHub Advisories on May 30, 2026 and rated Critical.
  • The flaw resides in the official A2A example server distributed with praisonai-platform (pip). It exposes a tool-calling endpoint that can invoke Python eval() driven by the LLM — without any authentication gate.
  • This is separate from the previously reported CVE-2026-44338 (legacy Flask API auth bypass) and CVE-2026-40287 (patch-bypass RCE via tool_override.py), representing yet another attack surface in the PraisonAI codebase.
  • The A2A example is intended as a reference for agent-to-agent communication. Because it is unauthenticated by default, any attacker scanning for PraisonAI instances can reach the eval endpoint directly.
  • Combined with prompt injection or malicious tool-calling payloads, this gives an attacker a one-step path from network access to remote code execution on the host running the agent framework.
  • PraisonAI has now accumulated at least four distinct CVEs in under two months (CVE-2026-40287, CVE-2026-44338, CVE-2026-44334, CVE-2026-47408), all rooted in unauthenticated API surfaces or sandbox escape in tool execution paths.

Why it matters

PraisonAI is one of the most widely deployed open-source multi-agent frameworks. Each new CVE in this codebase adds to a growing attack surface that internet-facing agent operators may not have fully inventoried. The A2A example is the kind of reference code that gets copied into production — and this one has no auth at all.

What to do

  • Audit every PraisonAI deployment for the A2A example server and disable or restrict it behind authentication and network segmentation.
  • Upgrade to the latest patched version once published. Monitor the PraisonAI security advisories page.
  • If you run any AI agent framework with exposed tool-execution endpoints, verify authentication is enforced on every route — not just the main API surface.

Sources: