CVE-2026-47391

CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution

Initial Access Execution Privilege Escalation Last updated:

CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
PraisonAI
Versions
<= 4.6.39

Weakness (CWE)

CWE-95CWE-306

Timeline

Disclosed
May 29, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-47391 CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution?

CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution (CVE-2026-47391) maps to the Initial Access and Execution and Privilege Escalation tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution, covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Azure Monitor, Microsoft Sentinel. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (8000, 8080, 5000, 7860) and RemoteIPType != "Private")
   or (FileName in~ ("python.exe", "python3", "python") and ProcessCommandLine has_any ("praisonai", "praison", "a2a"))
| extend SuspiciousEval = iff(ProcessCommandLine has "eval(" or ProcessCommandLine has "exec(", true, false)
| where SuspiciousEval == true or ActionType == "InboundConnectionAccepted"
| project TimeGenerated, DeviceName, AccountName, ActionType, ProcessCommandLine, RemoteIP, LocalPort, FileName
| order by TimeGenerated desc

Detects inbound connections to common PraisonAI service ports from non-private IPs and Python process invocations containing eval()/exec() patterns associated with LLM-driven code execution via the A2A endpoint.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Azure Monitor Microsoft Sentinel

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Legitimate PraisonAI development environments accessible from public IPs
  • Python automation scripts that legitimately use eval() for non-A2A purposes on the same host
  • Security research environments intentionally testing the A2A endpoint with controlled payloads
  • CI/CD pipelines running PraisonAI integration tests against public endpoints

Sigma rule & cross-platform mapping

The detection logic for CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution (CVE-2026-47391) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-47391 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-47391

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (2)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe

    Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.

  2. Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution

    Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.

  3. Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation

    Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.

Unlock Pro Content

Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections