CVE-2026-34953

Source
https://cve.org/CVERecord?id=CVE-2026-34953
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34953.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34953
Aliases
Published
2026-04-03T22:54:03.542Z
Modified
2026-07-08T08:12:56.268165408Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
Summary
PraisonAI: Authentication Bypass in OAuthManager.validate_token()
Details

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34953.json",
    "cwe_ids": [
        "CWE-863"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/mervinpraison/praisonai

Affected ranges

Type
GIT
Repo
https://github.com/mervinpraison/praisonai
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.5.97"
        }
    ]
}

Affected versions

0.*
0.0.55
0.0.56
0.0.57
0.0.59rc5
2.*
2.0.25
2.0.26
2.0.27
2.0.28
2.0.29
2.0.30
2.0.31
2.0.32
2.0.33
2.0.34
2.0.35
2.0.36
2.0.37
2.0.38
2.0.39
2.0.40
2.0.41
2.0.42
2.0.43
2.0.44
2.0.45
2.0.46
2.0.47
2.0.48
2.0.49
2.0.50
2.0.51
2.0.53
2.0.54
2.0.55
2.0.56
2.0.57
2.0.58
2.0.59
2.0.60
2.0.61
2.0.62
2.0.63
2.0.64
2.0.65
2.0.66
2.0.67
2.0.68
2.0.69
2.0.70
2.0.71
2.0.72
2.0.73
2.0.74
2.0.75
2.0.76
praisonai-cli@0.*
praisonai-cli@0.2.0
praisonai-derive@0.*
praisonai-derive@0.2.0
praisonai@0.*
praisonai@0.2.0
v0.*
v0.0.1
v0.0.18
v0.0.20
v0.0.21
v0.0.22
v0.0.23
v0.0.24
v0.0.25
v0.0.26
v0.0.27
v0.0.28
v0.0.29
v0.0.30
v0.0.31
v0.0.32
v0.0.33
v0.0.34
v0.0.35
v0.0.36
v0.0.37
v0.0.38
v0.0.39
v0.0.40
v0.0.41
v0.0.42
v0.0.43
v0.0.44
v0.0.45
v0.0.46
v0.0.47
v0.0.48
v0.0.49
v0.0.50
v0.0.51
v0.0.52
v0.0.53
v0.0.54
v0.0.58
v0.0.59
v0.0.59rc1
v0.0.59rc11
v0.0.59rc2
v0.0.59rc3
v0.0.59rc4
v0.0.59rc5
v0.0.59rc6
v0.0.59rc7
v0.0.59rc8
v0.0.59rc9
v0.0.61
v0.0.62
v0.0.63
v0.0.64
v0.0.65
v0.0.66
v0.0.67
v0.0.68
v0.0.69
v0.0.70
v0.0.71
v0.0.72
v0.0.73
v0.0.74
v0.1.0
v0.1.1
v0.1.10
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.1.7
v0.1.8
v0.1.9
v0.2.0
v1.*
v1.0.0
v1.0.1
v1.0.10
v1.0.11
v1.0.2
v1.0.3
v1.0.4
v1.0.5
v1.0.6
v1.0.8
v1.0.9
v2.*
v2.0.0
v2.0.1
v2.0.10
v2.0.13
v2.0.14
v2.0.15
v2.0.16
v2.0.17
v2.0.18
v2.0.19
v2.0.20
v2.0.21
v2.0.22
v2.0.23
v2.0.24
v2.0.4
v2.0.5
v2.0.6
v2.0.7
v2.0.77
v2.0.78
v2.0.79
v2.0.8
v2.0.80
v2.0.81
v2.0.9
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.1.4
v2.1.5
v2.1.6
v2.2.0
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.23
v2.2.24
v2.2.25
v2.2.26
v2.2.27
v2.2.28
v2.2.29
v2.2.3
v2.2.30
v2.2.31
v2.2.32
v2.2.33
v2.2.34
v2.2.35
v2.2.36
v2.2.37
v2.2.38
v2.2.39
v2.2.4
v2.2.40
v2.2.41
v2.2.42
v2.2.43
v2.2.44
v2.2.45
v2.2.46
v2.2.47
v2.2.48
v2.2.49
v2.2.5
v2.2.50
v2.2.51
v2.2.52
v2.2.53
v2.2.54
v2.2.55
v2.2.56
v2.2.57
v2.2.58
v2.2.59
v2.2.6
v2.2.60
v2.2.61
v2.2.62
v2.2.63
v2.2.64
v2.2.65
v2.2.66
v2.2.67
v2.2.68
v2.2.69
v2.2.7
v2.2.70
v2.2.71
v2.2.72
v2.2.73
v2.2.74
v2.2.75
v2.2.76
v2.2.77
v2.2.78
v2.2.79
v2.2.8
v2.2.80
v2.2.81
v2.2.82
v2.2.83
v2.2.84
v2.2.85
v2.2.86
v2.2.87
v2.2.89
v2.2.9
v2.2.90
v2.2.91
v2.2.93
v2.2.96
v2.2.97
v2.2.98
v2.2.99
v2.3.0
v2.3.1
v2.3.10
v2.3.11
v2.3.12
v2.3.13
v2.3.14
v2.3.15
v2.3.16
v2.3.18
v2.3.19
v2.3.2
v2.3.20
v2.3.21
v2.3.22
v2.3.23
v2.3.24
v2.3.25
v2.3.26
v2.3.27
v2.3.28
v2.3.29
v2.3.3
v2.3.30
v2.3.31
v2.3.32
v2.3.33
v2.3.34
v2.3.35
v2.3.36
v2.3.37
v2.3.38
v2.3.39
v2.3.4
v2.3.40
v2.3.41
v2.3.42
v2.3.43
v2.3.44
v2.3.45
v2.3.46
v2.3.47
v2.3.48
v2.3.49
v2.3.5
v2.3.50
v2.3.51
v2.3.52
v2.3.53
v2.3.54
v2.3.55
v2.3.56
v2.3.57
v2.3.58
v2.3.59
v2.3.6
v2.3.60
v2.3.61
v2.3.62
v2.3.63
v2.3.64
v2.3.65
v2.3.66
v2.3.67
v2.3.68
v2.3.69
v2.3.7
v2.3.70
v2.3.71
v2.3.72
v2.3.73
v2.3.74
v2.3.75
v2.3.76
v2.3.77
v2.3.78
v2.3.79
v2.3.8
v2.3.80
v2.3.81
v2.3.82
v2.3.83
v2.3.84
v2.3.85
v2.3.86
v2.3.87
v2.3.9
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.5.0
v2.5.2
v2.5.3
v2.5.4
v2.5.5
v2.5.6
v2.5.7
v2.6.0
v2.6.1
v2.6.2
v2.6.3
v2.6.4
v2.6.5
v2.6.6
v2.6.7
v2.6.8
v2.7.0
v2.7.1
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v4.*
v4.4.10
v4.4.11
v4.4.12
v4.4.5
v4.4.6
v4.4.7
v4.4.8
v4.4.9
v4.5.0
v4.5.1
v4.5.10
v4.5.11
v4.5.12
v4.5.13
v4.5.14
v4.5.15
v4.5.16
v4.5.17
v4.5.18
v4.5.19
v4.5.2
v4.5.20
v4.5.21
v4.5.22
v4.5.23
v4.5.24
v4.5.25
v4.5.26
v4.5.27
v4.5.28
v4.5.29
v4.5.3
v4.5.30
v4.5.31
v4.5.32
v4.5.33
v4.5.34
v4.5.35
v4.5.36
v4.5.37
v4.5.38
v4.5.39
v4.5.40
v4.5.41
v4.5.42
v4.5.43
v4.5.44
v4.5.45
v4.5.46
v4.5.48
v4.5.49
v4.5.5
v4.5.51
v4.5.52
v4.5.54
v4.5.55
v4.5.56
v4.5.57
v4.5.58
v4.5.59
v4.5.6
v4.5.60
v4.5.62
v4.5.63
v4.5.64
v4.5.65
v4.5.67
v4.5.68
v4.5.69
v4.5.7
v4.5.70
v4.5.71
v4.5.72
v4.5.73
v4.5.74
v4.5.76
v4.5.77
v4.5.78
v4.5.79
v4.5.8
v4.5.80
v4.5.81
v4.5.82
v4.5.83
v4.5.85
v4.5.87
v4.5.88
v4.5.9
v4.5.90
v4.5.93
v4.5.94
v4.5.95

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34953.json"