Auth bypass grants full MCP tool access in PraisonAI

TL;DR — PraisonAI’s MCP server can treat arbitrary Authorization: Bearer <token> values as authenticated, granting attackers full access to registered tools and agent capabilities over the network.

What happened

PraisonAI is a multi-agent teams system. CVE-2026-34953 describes a critical authentication/authorization failure in OAuthManager.validate_token() where the function returns True for tokens that are not found in its internal token store (notably: the store is described as empty by default).

As a result, any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities.

This is high-impact because MCP endpoints typically function as an application control-plane surface (tool execution, workflow/agent actions). Auth bypasses in these “agent tool gateways” turn a network path into immediate privileged capability execution and are easy to miss in perimeter-focused reviews.

Who is impacted

• Deployments running PraisonAI versions < 4.5.97.
• Any environment exposing the PraisonAI MCP server to untrusted networks, since the CVE describes authentication being granted based on a Bearer token that can be attacker-chosen.

What to do now

• Follow vendor remediation guidance and apply a release that includes the fix.

  • "This issue has been patched in version 4.5.97."

• Inventory where PraisonAI is deployed (including dev and internal platforms) and confirm which services expose an MCP HTTP surface.
• Reduce exposure while patching: restrict network reachability to the MCP server (e.g., internal-only, authenticated gateway, or allowlisted callers) since the described weakness is a network-auth bypass.
• If compromise is suspected, treat this as a control-plane exposure: review MCP server access logs for unexpected callers and rotate credentials/secrets accessible to the PraisonAI process and its registered tools.