Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in Google Chronicle
CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_47391_praisonai_a2a_rce {
meta:
author = "df00tech Detection Engineering"
description = "Detects exploitation of CVE-2026-47391 PraisonAI unauthenticated A2A LLM eval() RCE"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://github.com/advisories/GHSA-vg22-4gmj-prxw"
events:
(
$net.metadata.event_type = "NETWORK_CONNECTION"
and $net.target.port in (8000, 8080, 5000, 7860)
and not net.ip_in_range_cidr($net.principal.ip, "10.0.0.0/8")
and not net.ip_in_range_cidr($net.principal.ip, "172.16.0.0/12")
and not net.ip_in_range_cidr($net.principal.ip, "192.168.0.0/16")
)
or
(
$proc.metadata.event_type = "PROCESS_LAUNCH"
and re.regex($proc.target.process.command_line, `(?i)python.*praisonai|praison.*a2a`)
and re.regex($proc.target.process.command_line, `eval\s*\(|exec\s*\(`)
)
condition:
$net or $proc
}Chronicle YARA-L 2.0 rule detecting inbound external network connections to PraisonAI A2A service ports and Python process launches combining PraisonAI identifiers with eval()/exec() code execution patterns.
Data Sources
Required Tables
False Positives & Tuning
- Authorized GCP-internal services accessing PraisonAI on standard ports with non-RFC1918 GCP IPs
- Chronicle ingestion of logs from environments where PraisonAI eval() is used for benign tool-calling
- Python AI agent frameworks co-deployed alongside PraisonAI that use similar command patterns
- Red team exercises against controlled PraisonAI lab instances
Other platforms for CVE-2026-47391
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe
Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.
- Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution
Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.
- Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation
Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.
Unlock Pro Content
Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.