All articles
Threat IntelligenceMay 2026·3 min read

PraisonAI Example Enables Unauthenticated Remote Code Execution

An official Agent-to-Agent (A2A) server example combines a public endpoint with an unsafe eval() tool, creating a critical vulnerability.

PraisonAI Example Enables Unauthenticated Remote Code Execution
Illustration generated by Helixar Research Labs. Not a depiction of a real system, attack, or affected product.

At a Glance

CVE-2026-47391

Identifier

Critical

Severity

Network

Attack Vector

PraisonAI

Affected Product

A critical security flaw has been identified in the PraisonAI agent framework. The vulnerability allows unauthenticated remote code execution on servers running the official Agent-to-Agent (A2A) example code. An attacker can send a specially crafted network request to trick an AI agent into running arbitrary Python code. [1]

The Attack Chain Explained

The exploit chain begins when an attacker discovers a publicly accessible PraisonAI server. This is likely if a developer has deployed the official A2A server example, which binds to all network interfaces by default. The attacker sends a JSON-RPC request to the `/a2a` endpoint with a malicious prompt.

Because the example does not configure an authentication token, the server processes the request without verification. It passes the attacker's prompt to the agent's underlying Large Language Model. The prompt instructs the model to use a registered tool named `calculate`, which is designed to evaluate mathematical expressions.

The LLM then invokes the `calculate` tool with attacker-controlled input. The tool's implementation uses Python's dangerous `eval()` function, which executes the input as code. Research confirmed this chain using a real Gemini LLM, which successfully created a file on the server from an unauthenticated request, proving remote code execution. [2]

OPERATOR ACTION

Immediately review any PraisonAI A2A deployments for use of the vulnerable example code and unsafe, eval-based tools.

A Flaw in First-Party Code

This vulnerability is not simply a user misconfiguration. It originates from a combination of insecure defaults within the framework and unsafe code in a first-party example. The official `a2a-server.py` example script creates this critical issue by design.

Three specific behaviors create the exploitable condition. First, the example server binds to `0.0.0.0`, exposing it to public networks. Second, it fails to configure an `auth_token`, causing the A2A endpoint to accept unauthenticated requests. Third, it registers the `calculate` tool, which provides a direct path to code execution via `eval()`. [1]

Impact on Agentic Systems

This incident highlights a significant risk pattern in agentic systems. The LLM itself is not compromised, but it is manipulated into becoming a confused deputy. It faithfully uses a tool provided by its developers, unaware that the tool's input is controlled by an external attacker.

A successful attacker gains the ability to execute arbitrary Python code with the privileges of the server process. This can lead to data theft, credential exposure, server compromise, and lateral movement within a network. The vulnerability also exposes task management APIs, which could allow an attacker to read sensitive task data or disrupt agent operations even without using the `eval()` sink. [2]

Detection and Mitigation

Developers using PraisonAI should immediately search their codebases for the vulnerable `calculate` tool and similar uses of `eval()`. Any such tools should be replaced with safe expression parsers. All A2A server deployments should be audited to ensure they are not bound to public interfaces without proper authentication.

For long-term security, the framework itself requires hardening. The `serve()` method should default to a local-only host like `127.0.0.1`. The framework should also enforce authentication by default for all A2A endpoints, requiring developers to explicitly opt-in to unauthenticated access. These changes would establish a more secure foundation for building agentic applications.

References

  1. GitHub Security Advisory (GHSA-vg22-4gmj-prxw). https://github.com/advisories/GHSA-vg22-4gmj-prxw (accessed 2026-05-30).
  2. Vendor security advisory (github.com). https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vg22-4gmj-prxw (accessed 2026-05-30).

About Helixar Research Labs

Helixar is an AI-native software R&D lab focused on agentic governance, compliance, and security for enterprises and enterprise agents.

Helixar Research Labs publishes briefings on the agentic and AI threat surface, including autonomous agents, LLM tooling, MCP servers, model supply chains, and prompt injection. The goal is to surface the gap between traditional defenses and agentic attacks before it shows up in your incidents.

If you run agents in production, this is for you. Learn more at helixar.ai.

Back to Press