CVE-2026-34953
Published: 03 April 2026
Summary
CVE-2026-34953 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Praison Praisonai. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires identification and authentication of services using defined mechanisms, directly preventing authentication bypass via arbitrary Bearer tokens to MCP server tools and agents.
Enforces approved authorizations for access to system resources, mitigating full unauthorized access granted by the flawed OAuthManager token validation logic.
Validates information inputs such as Authorization headers at entry points, ensuring arbitrary Bearer tokens are rejected rather than treated as valid.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The authentication bypass in the public-facing MCP server directly enables T1190 (Exploit Public-Facing Application) by allowing unauthenticated remote attackers to access all tools and agent capabilities via arbitrary Bearer tokens.
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is…
more
treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.
Deeper analysisAI
CVE-2026-34953 is a critical authentication bypass vulnerability in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.97. The issue resides in the OAuthManager.validate_token() function, which returns True for any token not present in its internal store. Since this store is empty by default, the validation mechanism fails to enforce proper authentication, allowing unauthorized access. The vulnerability is classified under CWE-863 (Incorrect Authorization) with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Any remote attacker can exploit this vulnerability without privileges or user interaction by sending an HTTP request to the MCP server with an arbitrary Bearer token in the Authorization header. Such requests are treated as fully authenticated, granting complete access to all registered tools and agent capabilities within the PraisonAI system. This enables attackers to execute arbitrary actions through the exposed endpoints.
The vulnerability has been addressed in PraisonAI version 4.5.97. Security advisories recommend upgrading to this patched version to mitigate the issue. Details on the patch and remediation are provided in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp