Detect PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396) in Microsoft Sentinel
Detects exploitation of CVE-2026-47396, a critical authentication bypass in PraisonAI's call server component. When the CALL_SERVER_TOKEN environment variable is unset, the server exposes unauthenticated endpoints for listing, invoking, and deleting AI agents. An attacker can enumerate available agents, invoke arbitrary agent workflows, or destroy agent configurations without any credentials. CVSS 9.8 (Critical), CWE-284/CWE-306.
MITRE ATT&CK
- Tactic
- Initial Access Persistence Impact
KQL Detection Query
union CommonSecurityLog, W3CIISLog, AppServiceHTTPLogs
| where TimeGenerated > ago(24h)
| where RequestURL has_any ("/agents", "/invoke", "/delete") or csUriStem has_any ("/agents", "/invoke", "/delete")
| where RequestMethod in ("GET", "POST", "DELETE") or csMethod in ("GET", "POST", "DELETE")
| where isempty(RequestHeader_Authorization) or not(RequestHeader_Authorization matches regex @"Bearer .+")
| extend SourceIP = coalesce(SourceIP, cIP)
| extend TargetURL = coalesce(RequestURL, csUriStem)
| project TimeGenerated, SourceIP, TargetURL, RequestMethod, csMethod, ResponseCode, csStatus
| summarize RequestCount = count(), Methods = make_set(coalesce(RequestMethod, csMethod)), StatusCodes = make_set(coalesce(tostring(ResponseCode), tostring(csStatus))) by SourceIP, bin(TimeGenerated, 5m)
| where RequestCount > 2
| order by RequestCount descDetects unauthenticated HTTP requests to PraisonAI call server agent endpoints (/agents, /invoke, /delete) lacking a Bearer token Authorization header, aggregated by source IP over 5-minute windows.
Data Sources
Required Tables
False Positives & Tuning
- Internal health checks or monitoring probes that legitimately call agent endpoints without tokens
- Development or staging environments where authentication is intentionally disabled
- Load balancer or reverse proxy health checks hitting agent listing endpoints
- Automated integration tests running against non-production PraisonAI instances
Other platforms for CVE-2026-47396
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Enumerate PraisonAI agents without authentication
Expected signal: Web server access log entry: GET /agents HTTP/1.1 from test source IP, no Authorization header, HTTP 200 response with JSON agent listing
- Test 2Invoke PraisonAI agent without authentication
Expected signal: Web server access log entry: POST /invoke HTTP/1.1 from test source IP, no Authorization header, HTTP 200 or 202 response; application log showing agent invocation
- Test 3Delete PraisonAI agent configuration without authentication
Expected signal: Web server access log entry: DELETE /delete HTTP/1.1 from test source IP, no Authorization header; application log showing agent deletion event
- Test 4Confirm CALL_SERVER_TOKEN absence in running process
Expected signal: Process environment read via /proc/<pid>/environ; output contains no CALL_SERVER_TOKEN entry
Unlock Pro Content
Get the full detection package for CVE-2026-47396 including response playbook, investigation guide, and atomic red team tests.