Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in IBM QRadar
CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.
MITRE ATT&CK
QRadar Detection Query
SELECT DATEFORMAT(starttime,'YYYY-MM-dd HH:mm:ss') as EventTime, sourceip, destinationip, destinationport, username, "processname", "commandline", QIDNAME(qid) as EventName FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Linux','WindowsAuthServer','Sysmon') AND ((destinationport IN (8000,8080,5000,7860) AND sourceip NOT INCIDR '10.0.0.0/8' AND sourceip NOT INCIDR '172.16.0.0/12' AND sourceip NOT INCIDR '192.168.0.0/16') OR ("processname" ILIKE '%python%' AND ("commandline" ILIKE '%praisonai%' OR "commandline" ILIKE '%a2a%') AND ("commandline" ILIKE '%eval(%' OR "commandline" ILIKE '%exec(%'))) LAST 7 DAYS ORDER BY starttime DESCQRadar AQL query detecting external inbound connections to PraisonAI service ports and Python process command lines containing PraisonAI A2A markers combined with eval()/exec() execution patterns.
Data Sources
Required Tables
False Positives & Tuning
- Whitelisted external partners connecting to authorized PraisonAI API endpoints
- Security scanning tools that probe AI service ports as part of authorized vulnerability assessments
- Python scripts on monitored hosts that coincidentally use eval() adjacent to PraisonAI deployments
- VPN egress IPs appearing as external sources for internal PraisonAI users
Other platforms for CVE-2026-47391
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe
Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.
- Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution
Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.
- Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation
Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.
Unlock Pro Content
Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.