Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in Microsoft Sentinel
CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (8000, 8080, 5000, 7860) and RemoteIPType != "Private")
or (FileName in~ ("python.exe", "python3", "python") and ProcessCommandLine has_any ("praisonai", "praison", "a2a"))
| extend SuspiciousEval = iff(ProcessCommandLine has "eval(" or ProcessCommandLine has "exec(", true, false)
| where SuspiciousEval == true or ActionType == "InboundConnectionAccepted"
| project TimeGenerated, DeviceName, AccountName, ActionType, ProcessCommandLine, RemoteIP, LocalPort, FileName
| order by TimeGenerated descDetects inbound connections to common PraisonAI service ports from non-private IPs and Python process invocations containing eval()/exec() patterns associated with LLM-driven code execution via the A2A endpoint.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate PraisonAI development environments accessible from public IPs
- Python automation scripts that legitimately use eval() for non-A2A purposes on the same host
- Security research environments intentionally testing the A2A endpoint with controlled payloads
- CI/CD pipelines running PraisonAI integration tests against public endpoints
Other platforms for CVE-2026-47391
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe
Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.
- Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution
Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.
- Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation
Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.
Unlock Pro Content
Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.