Detect CVE-2026-47391: PraisonAI Unauthenticated A2A LLM eval() Remote Code Execution in Splunk
CVE-2026-47391 is a critical unauthenticated remote code execution vulnerability in PraisonAI versions <= 4.6.39. The official Agent-to-Agent (A2A) example exposes an endpoint that accepts arbitrary input, passes it through an LLM-driven pipeline, and executes the result via Python's eval() without authentication or input sanitization. An attacker can craft a malicious payload that causes the LLM to emit code executed directly by the server process, achieving full RCE with the privileges of the PraisonAI service.
MITRE ATT&CK
SPL Detection Query
index=* sourcetype IN ("linux_audit", "WinEventLog:Security", "stream:http", "sysmon", "osquery:results")
| eval is_praison_process=if(match(process, "(?i)praisonai|praison") OR match(cmdline, "(?i)praisonai|a2a"), 1, 0)
| eval has_eval=if(match(cmdline, "eval\\s*\\(") OR match(cmdline, "exec\\s*\\("), 1, 0)
| eval is_web_request=if(sourcetype="stream:http" AND (dest_port IN (8000, 8080, 5000, 7860)) AND NOT cidrmatch("10.0.0.0/8", src_ip) AND NOT cidrmatch("172.16.0.0/12", src_ip) AND NOT cidrmatch("192.168.0.0/16", src_ip), 1, 0)
| where is_praison_process=1 OR has_eval=1 OR is_web_request=1
| stats count by _time, host, src_ip, dest_port, cmdline, process, user
| sort -_timeSplunk search detecting PraisonAI process execution, eval()/exec() usage in Python commands, and inbound HTTP traffic to common AI service ports from external IPs indicating potential CVE-2026-47391 exploitation.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Internal development instances of PraisonAI with eval-based tooling running legitimate workloads
- Penetration testing activities against authorized PraisonAI deployments
- Other Python AI frameworks using eval() on the same hosts as PraisonAI
- Load balancer health checks to A2A service ports misidentified as external traffic
Other platforms for CVE-2026-47391
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CVE-2026-47391 - Unauthenticated A2A Endpoint Probe
Expected signal: HTTP 200 response from the A2A endpoint without any authentication challenge (no 401/403); network logs show inbound POST to port 8000 from external IP with no auth headers present.
- Test 2CVE-2026-47391 - LLM Prompt Injection to Trigger eval() Execution
Expected signal: PraisonAI application logs show the crafted prompt being processed; if eval() is triggered, process execution logs show whoami child process spawned from the Python PraisonAI parent; network response body contains the current OS username.
- Test 3CVE-2026-47391 - Post-Exploitation Credential Harvesting Simulation
Expected signal: subprocess.check_output or env process execution event with PraisonAI Python as parent; file access events may show reads of .env files if the process has access; LLM API call logs show the injected prompt being submitted to the upstream LLM provider.
Unlock Pro Content
Get the full detection package for CVE-2026-47391 including response playbook, investigation guide, and atomic red team tests.