CVE-2026-47396 Splunk · SPL

Detect PraisonAI Call Server Unauthenticated Agent Access (CVE-2026-47396) in Splunk

Detects exploitation of CVE-2026-47396, a critical authentication bypass in PraisonAI's call server component. When the CALL_SERVER_TOKEN environment variable is unset, the server exposes unauthenticated endpoints for listing, invoking, and deleting AI agents. An attacker can enumerate available agents, invoke arbitrary agent workflows, or destroy agent configurations without any credentials. CVSS 9.8 (Critical), CWE-284/CWE-306.

MITRE ATT&CK

Tactic
Initial Access Persistence Impact

SPL Detection Query

Splunk (SPL)
spl 
index=web OR index=proxy sourcetype IN ("access_combined", "iis", "nginx:access", "apache:access")
| where (uri_path="/agents*" OR uri_path="/invoke*" OR uri_path="/delete*")
| eval has_auth=if(like(lower(http_request_header), "%authorization: bearer%"), "yes", "no")
| where has_auth="no"
| eval http_method=coalesce(http_method, method)
| stats count AS request_count, values(http_method) AS methods, values(status) AS status_codes, dc(uri_path) AS unique_endpoints BY src_ip, span("5m") _time
| where request_count > 2
| eval risk_score=case(request_count > 20, "critical", request_count > 10, "high", request_count > 5, "medium", true(), "low")
| table _time, src_ip, request_count, methods, status_codes, unique_endpoints, risk_score
| sort - request_count
critical severity medium confidence

Detects unauthenticated requests to PraisonAI call server agent endpoints in web/proxy logs, flagging sources lacking an Authorization Bearer header and aggregating by source IP.

Data Sources

Web proxy logsNginx access logsApache access logsIIS logs

Required Sourcetypes

access_combinediisnginx:accessapache:access

False Positives & Tuning

  • Internal monitoring tools polling the agents endpoint for availability checks
  • Development environments with authentication deliberately disabled
  • CI/CD pipeline tests querying agent endpoints without credentials
  • Misconfigured reverse proxies stripping Authorization headers before logging

Other platforms for CVE-2026-47396

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Enumerate PraisonAI agents without authentication

    Expected signal: Web server access log entry: GET /agents HTTP/1.1 from test source IP, no Authorization header, HTTP 200 response with JSON agent listing

  2. Test 2Invoke PraisonAI agent without authentication

    Expected signal: Web server access log entry: POST /invoke HTTP/1.1 from test source IP, no Authorization header, HTTP 200 or 202 response; application log showing agent invocation

  3. Test 3Delete PraisonAI agent configuration without authentication

    Expected signal: Web server access log entry: DELETE /delete HTTP/1.1 from test source IP, no Authorization header; application log showing agent deletion event

  4. Test 4Confirm CALL_SERVER_TOKEN absence in running process

    Expected signal: Process environment read via /proc/<pid>/environ; output contains no CALL_SERVER_TOKEN entry

Last updated: 2026-06-21 Research depth: standard
References (2)

Unlock Pro Content

Get the full detection package for CVE-2026-47396 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hubs

TA0001Initial AccessTA0003PersistenceTA0040Impact

Related Techniques

T1190Exploit Public-Facing ApplicationT1078Valid AccountsT1485Data DestructionT1059Command and Scripting Interpreter

Same Tactic: Initial Access

Popular Detections