CVE-2026-47391 CrowdStrike LogScale · LogScale

Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in CrowdStrike LogScale

CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.

MITRE ATT&CK

Tactic
Initial Access Execution Privilege Escalation

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName IN (NetworkListenIP4, NetworkReceiveAcceptIP4, ProcessRollup2)
| filePath MATCH "(?i)python"
| CommandLine MATCH "(?i)(praisonai|praison|a2a)"
| CommandLine MATCH "(eval\s*\(|exec\s*\()"
| RemoteAddressIP4 != "10.*" AND RemoteAddressIP4 != "172.16.*" AND RemoteAddressIP4 != "192.168.*"
| RemotePort IN [8000, 8080, 5000, 7860]
| table([ _time, aid, ComputerName, UserName, CommandLine, RemoteAddressIP4, RemotePort, FilePath ])
| sort -_time
critical severity high confidence

CrowdStrike Falcon CQL query identifying Python processes with PraisonAI A2A signatures executing eval()/exec() while receiving connections from external IP ranges on common AI service ports.

Data Sources

CrowdStrike Falcon Endpoint ProtectionFalcon Insight XDR

Required Tables

NetworkListenIP4NetworkReceiveAcceptIP4ProcessRollup2

False Positives & Tuning

  • Falcon-monitored hosts running authorized external-facing PraisonAI services with known-safe eval() tooling
  • EDR telemetry gaps where internal IPs are mis-classified as external due to CGNAT
  • PraisonAI version > 4.6.39 with patched eval() still triggering on command line signature
  • Automated remediation scripts that invoke python with eval() on PraisonAI hosts

Other platforms for CVE-2026-47391

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe

    Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.

  2. Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution

    Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.

  3. Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation

    Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0002ExecutionTA0004Privilege Escalation

Related Techniques

T1190Exploit Public-Facing ApplicationT1059.006PythonT1552.001Credentials In Files

Same Tactic: Initial Access

Popular Detections