CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2026-34953

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, OAuthManager.validate_token() returns True for any token not found in its internal store, which is empty by default. Any HTTP request to the MCP server with an arbitrary Bearer token is treated as authenticated, granting full access to all registered tools and agent capabilities. This issue has been patched in version 4.5.97.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 11.9%

CVSS Severity

CVSS v3 Score 9.1

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5

Products affected by CVE-2026-34953

Praison » Praisonai » Version: Any

cpe:2.3:a:praison:praisonai:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2026-34953

Products

Pricing

Contact Us