CVE-2026-47393 Google Chronicle · YARA-L

Detect PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393) in Google Chronicle

PraisonAI versions <= 4.6.39, when deployed via `deploy --type api`, expose a Flask HTTP server with authentication disabled by default (CWE-306, CWE-1188). Any unauthenticated actor with network access can invoke the AI agent API, exfiltrate model outputs, or use the endpoint as a proxy for downstream attacks. CVSS 9.8 critical; public PoC available.

MITRE ATT&CK

Tactic
Initial Access Defense Evasion Exfiltration

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule praisonai_unauthenticated_api_deploy {
  meta:
    author = "df00tech Detection Engineering"
    description = "Detects PraisonAI deploy --type api invocation or external inbound to Flask ports"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8444-4fhq-fxpq"

  events:
    (
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and re.regex($e.principal.process.command_line, `(?i)praisonai.*deploy.*api`)
    ) or (
      $e.metadata.event_type = "NETWORK_CONNECTION"
      and $e.target.port in (5000, 8000, 8080, 8888)
      and not net.ip_in_range_cidr($e.principal.ip, "10.0.0.0/8")
      and not net.ip_in_range_cidr($e.principal.ip, "172.16.0.0/12")
      and not net.ip_in_range_cidr($e.principal.ip, "192.168.0.0/16")
    )

  condition:
    $e
}
critical severity medium confidence

Chronicle YARA-L rule triggering on PraisonAI deploy command lines or external network connections to common Flask API ports.

Data Sources

Chronicle UDM Endpoint TelemetryChronicle UDM Network Telemetry

Required Tables

UDM Events

False Positives & Tuning

  • Other Python applications using Flask on the same default ports
  • Authorized remote access via VPN that resolves to an external IP in logs
  • Container overlay networks presenting non-RFC1918 addresses internally

Other platforms for CVE-2026-47393

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Deploy PraisonAI API without authentication and verify unauthenticated access

    Expected signal: Process creation event for python/praisonai with command line containing 'deploy --type api'; network socket bound to 0.0.0.0:5000; HTTP 200 response with no Authorization header in request

  2. Test 2Enumerate PraisonAI API endpoints unauthenticated from a remote host

    Expected signal: Inbound NetworkConnectIP4/NetworkConnectionEvents on port 5000 from a non-RFC1918 IP; HTTP GET and POST requests in web/proxy logs with no authentication headers

  3. Test 3Verify PraisonAI package version on a Linux host using pip

    Expected signal: Process creation for pip/python3 with 'praisonai' argument in command line; stdout output containing version string <= 4.6.39

  4. Test 4Simulate attacker submitting agent task via unauthenticated PraisonAI API

    Expected signal: HTTP POST to /api endpoint with no Authorization or Cookie headers; PraisonAI process spawning child processes to execute agent task; outbound connections if agent task triggers tool use

Last updated: 2026-06-21 Research depth: standard
References (3)

Unlock Pro Content

Get the full detection package for CVE-2026-47393 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0005Defense EvasionTA0010Exfiltration

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1059.006Python

Same Tactic: Initial Access

Popular Detections