Detect PraisonAI Flask API Server Deployed Without Authentication (CVE-2026-47393) in Microsoft Sentinel
PraisonAI versions <= 4.6.39, when deployed via `deploy --type api`, expose a Flask HTTP server with authentication disabled by default (CWE-306, CWE-1188). Any unauthenticated actor with network access can invoke the AI agent API, exfiltrate model outputs, or use the endpoint as a proxy for downstream attacks. CVSS 9.8 critical; public PoC available.
MITRE ATT&CK
KQL Detection Query
union DeviceNetworkEvents, DeviceProcessEvents
| where TimeGenerated > ago(7d)
| where (ActionType == "InboundConnectionAccepted" and LocalPort in (5000, 8000, 8080, 8888) and RemoteIPType != "Private")
or (FileName in~ ("python.exe", "python3", "python") and ProcessCommandLine has_any ("praisonai", "praison") and ProcessCommandLine has "deploy" and ProcessCommandLine has "api")
| extend RiskSignal = case(
ProcessCommandLine has "deploy" and ProcessCommandLine has "api", "PraisonAI API deploy detected",
ActionType == "InboundConnectionAccepted" and RemoteIPType != "Private", "External inbound to Flask port",
"Unknown"
)
| project TimeGenerated, DeviceName, AccountName, FileName, ProcessCommandLine, LocalPort, RemoteIP, RemoteIPType, RiskSignal
| order by TimeGenerated descDetects PraisonAI API deploy invocations and inbound external connections to common Flask ports on hosts running PraisonAI processes.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate internal Flask development servers on default ports without PraisonAI
- Authorized internal AI API deployments on non-routable network segments
- CI/CD pipelines running PraisonAI integration tests with controlled network access
Other platforms for CVE-2026-47393
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Deploy PraisonAI API without authentication and verify unauthenticated access
Expected signal: Process creation event for python/praisonai with command line containing 'deploy --type api'; network socket bound to 0.0.0.0:5000; HTTP 200 response with no Authorization header in request
- Test 2Enumerate PraisonAI API endpoints unauthenticated from a remote host
Expected signal: Inbound NetworkConnectIP4/NetworkConnectionEvents on port 5000 from a non-RFC1918 IP; HTTP GET and POST requests in web/proxy logs with no authentication headers
- Test 3Verify PraisonAI package version on a Linux host using pip
Expected signal: Process creation for pip/python3 with 'praisonai' argument in command line; stdout output containing version string <= 4.6.39
- Test 4Simulate attacker submitting agent task via unauthenticated PraisonAI API
Expected signal: HTTP POST to /api endpoint with no Authorization or Cookie headers; PraisonAI process spawning child processes to execute agent task; outbound connections if agent task triggers tool use
Unlock Pro Content
Get the full detection package for CVE-2026-47393 including response playbook, investigation guide, and atomic red team tests.