CVE-2026-34953— PraisonAI 安全漏洞

PraisonAI: Authentication Bypass in OAuthManager.validate_token()

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

授权机制不正确

PraisonAI 安全漏洞

PraisonAI是Mervin Praison个人开发者的一个低代码多智能体协作框架。 PraisonAI 4.5.97之前版本存在安全漏洞，该漏洞源于OAuthManager.validate_token函数对于未在其内部存储中找到的任何令牌均返回True，可能导致任意Bearer令牌被视作已认证，授予对所有注册工具和代理功能的完全访问权限。

N/A

N/A