CVE-2026-47393

PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393)

Initial Access Defense Evasion Exfiltration Last updated:

PraisonAI versions <= 4.6.39, when deployed via `deploy --type api`, expose a Flask HTTP server with authentication disabled by default (CWE-306, CWE-1188). Any unauthenticated actor with network access can invoke the AI agent API, exfiltrate model outputs, or use the endpoint as a proxy for downstream attacks. CVSS 9.8 critical; public PoC available.

Vulnerability Intelligence

Public PoC

Affected Software

Vendor
pip
Product
PraisonAI
Versions
<= 4.6.39

Weakness (CWE)

CWE-306CWE-1188

Timeline

Disclosed
May 29, 2026

CVSS

9.8
Critical (9.0–10)
Read the write-up →

What is CVE-2026-47393 PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393)?

PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393) (CVE-2026-47393) maps to the Initial Access and Defense Evasion and Exfiltration tactics — the adversary is trying to get into your network in MITRE ATT&CK.

This page provides production-ready detection logic for PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel DeviceNetworkEvents, Microsoft Sentinel DeviceProcessEvents. The queries below are rated critical severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Exfiltration
Microsoft Sentinel / Defender
kusto 
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (5000, 8000, 8080, 8888) and RemoteIPType != "Private")
   or (FileName in~ ("python.exe", "python3", "python") and ProcessCommandLine has_any ("praisonai", "praison") and ProcessCommandLine has "deploy" and ProcessCommandLine has "api")
| extend RiskSignal = case(
    ProcessCommandLine has "deploy" and ProcessCommandLine has "api", "PraisonAI API deploy detected",
    ActionType == "InboundConnectionAccepted" and RemoteIPType != "Private", "External inbound to Flask port",
    "Unknown"
  )
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, LocalPort, RemoteIP, RemoteIPType, RiskSignal
| order by TimeGenerated desc

Detects PraisonAI API deploy invocations and inbound external connections to common Flask ports on hosts running PraisonAI processes.

critical severity medium confidence

Data Sources

Microsoft Defender for Endpoint Microsoft Sentinel DeviceNetworkEvents Microsoft Sentinel DeviceProcessEvents

Required Tables

DeviceNetworkEvents DeviceProcessEvents

False Positives

  • Legitimate internal Flask development servers on default ports without PraisonAI
  • Authorized internal AI API deployments on non-routable network segments
  • CI/CD pipelines running PraisonAI integration tests with controlled network access

Sigma rule & cross-platform mapping

The detection logic for PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393) (CVE-2026-47393) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for CVE-2026-47393 Sigma rules on detection.fyi

Platform-specific guides for CVE-2026-47393

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-06-21 Research depth: standard
References (3)

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy PraisonAI API without authentication and verify unauthenticated access

    Expected signal: Process creation event for python/praisonai with command line containing 'deploy --type api'; network socket bound to 0.0.0.0:5000; HTTP 200 response with no Authorization header in request

  2. Test 2Enumerate PraisonAI API endpoints unauthenticated from a remote host

    Expected signal: Inbound NetworkConnectIP4/NetworkConnectionEvents on port 5000 from a non-RFC1918 IP; HTTP GET and POST requests in web/proxy logs with no authentication headers

  3. Test 3Verify PraisonAI package version on a Linux host using pip

    Expected signal: Process creation for pip/python3 with 'praisonai' argument in command line; stdout output containing version string <= 4.6.39

  4. Test 4Simulate attacker submitting agent task via unauthenticated PraisonAI API

    Expected signal: HTTP POST to /api endpoint with no Authorization or Cookie headers; PraisonAI process spawning child processes to execute agent task; outbound connections if agent task triggers tool use

Unlock Pro Content

Get the full detection package for CVE-2026-47393 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0010Exfiltration

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1059.006Python

Same Tactic: Initial Access

Popular Detections