Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in Elastic Security
CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.
MITRE ATT&CK
Elastic Detection Query
sequence by host.name with maxspan=2m
[network where network.direction == "ingress"
and destination.port in (8000, 8080, 5000, 7860)
and not source.ip like "10.*" and not source.ip like "192.168.*" and not source.ip like "172.16.*"]
[process where process.name like~ "python*"
and (
process.command_line like "*praisonai*"
or process.command_line like "*praison*"
or process.command_line like "*a2a*"
)
and (
process.command_line like "*eval(*"
or process.command_line like "*exec(*"
or process.command_line like "*subprocess*"
)
]EQL sequence rule correlating inbound external network connections to AI service ports followed by Python process execution with eval/exec patterns, indicating exploitation of the PraisonAI unauthenticated A2A RCE vulnerability.
Data Sources
Required Tables
False Positives & Tuning
- Authorized external integrations connecting to PraisonAI instances over non-private ranges
- Python development tools on the same host using eval() for templating or serialization
- Automated AI testing frameworks that legitimately invoke eval-based code on PraisonAI hosts
- Containerized PraisonAI with NAT making internal traffic appear external
Other platforms for CVE-2026-47391
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe
Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.
- Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution
Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.
- Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation
Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.
Unlock Pro Content
Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.