python · praisonaiCritical
praisonai AgentOS FastAPI routes remain unauthenticated after GHSA-pm96-6xpr-978x patch
AgentOS FastAPI deployment surface remains unauthenticated after the published patched version for GHSA-pm96-6xpr-978x.
What changed
AgentOS FastAPI deployment surface remains unauthenticated after the published patched version for GHSA-pm96-6xpr-978x. Routes GET /api/agents and POST /api/chat are registered without authentication, allowing unauthenticated remote agent invocation.
Who it affects
Users of praisonai versions >= 4.2.1, <= 4.6.57, including v4.5.128 (published patched version) and current main, who expose AgentOS on a reachable interface.
What to do today
Apply authentication to AgentOS routes or restrict network access to trusted clients only. Update to a fixed version when available.
The trail
Collected→
Audited→
Written→
Published