CVE-2026-34953 - Vulnerability Analysis
CriticalCVSS: 9.1Last Updated: April 6, 2026
PraisonAI - Authentication Bypass
Overview
PraisonAI < 4.5.97 contains an authentication bypass caused by OAuthManager.validate_token() returning True for any unknown token, letting remote attackers gain full access to tools and agent capabilities, exploit requires sending arbitrary Bearer token.
Severity & Score
Impact
Remote attackers can gain full access to all registered tools and agent capabilities without valid authentication.
Mitigation
Upgrade to version 4.5.97 or later.
Social Media Activity(2 posts)
š“ CVE-2026-34953 - Critical (9.1) PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer toke... š https://www.thehackerwire.com/vulnerability/CVE-2026-34953/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
ā ļø CRITICAL vuln in PraisonAI (<4.5.97): CVE-2026-34953 allows any bearer token to bypass auth & gain full access to all agent capabilities. Patch to 4.5.97+ now! No exploits yet. Details: https://radar.offseq.com/threat/cve-2026-34953-cwe-863-incorrect-authorization-in--72e3ef5e #OffSeq #CVE202634953 #infosec #patch
View original postRelated Resources
Details
- CVE ID
- CVE-2026-34953
- Severity
- Critical
- CVSS Score
- 9.1
- Type
- broken_authentication
- Status
- new
- EPSS
- 3.0%
- Social Posts
- 2
CWE
- CWE-863
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N