# [CRIT] [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution **Source:** GitHub Security Advisories **Published:** 2026-05-29 **Article:** https://github.com/advisories/GHSA-vg22-4gmj-prxw ## Threat Profile PraisonAI's unauthenticated A2A official example can reach real LLM-driven `eval()` tool execution ## Summary The first-party PraisonAI A2A server example combines three behaviors into a remotely exploitable Critical chain: 1. The example exposes an A2A server without configuring `auth_token`. 2. The same example binds the server to `0.0.0.0`. 3. The example registers a `calculate(expression)` tool implemented with Python `eval(expression)`. An unauthenticated network client can send a JSON-… ## Indicators of Compromise (high-fidelity only) - **CVE:** `CVE-2026-47391` ## MITRE ATT&CK Techniques - **T1190** — Exploit Public-Facing Application - **T1204.002** — User Execution: Malicious File - **T1059.006** — Command and Scripting Interpreter: Python - **T1059.004** — Command and Scripting Interpreter: Unix Shell - **T1133** — External Remote Services ## Kill chain phases observed _(none detected from narrative keywords)_ ## Recommended hunts ### Unauthenticated JSON-RPC POST to PraisonAI /a2a endpoint (CVE-2026-47391 exploit) `UC_165_2` · phase: **delivery** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Web.http_method) as method values(Web.url) as url values(Web.status) as status values(Web.src) as src_ip values(Web.dest) as dest_ip from datamodel=Web where Web.url="*/a2a*" Web.http_method="POST" Web.dest_port IN (8000,80,443,8080) by Web.src Web.dest Web.user_agent | `drop_dm_object_name(Web)` | search NOT src IN ("10.0.0.0/8","172.16.0.0/12","192.168.0.0/16","127.0.0.1") | where status=200 | rename src AS src_ip dest AS dest_ip ``` **Defender KQL:** ```kql DeviceNetworkEvents | where Timestamp > ago(7d) | where ActionType in ("InboundConnectionAccepted","ConnectionSuccess") | where LocalPort in (8000, 80, 443, 8080) | where RemoteIPType == "Public" | where InitiatingProcessFileName in~ ("python.exe","python3.exe","python3","python","uvicorn.exe","uvicorn") or InitiatingProcessCommandLine has_any ("a2a-server.py","a2a.py","praisonai","praisonaiagents") | project Timestamp, DeviceName, RemoteIP, RemotePort, LocalIP, LocalPort, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessFolderPath, ReportId | order by Timestamp desc ``` ### Suspicious child process spawned by PraisonAI uvicorn/python A2A server (eval() RCE evidence) `UC_165_3` · phase: **exploit** · confidence: **High** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.process_name) as child_name values(Processes.parent_process_name) as parent_name values(Processes.parent_process) as parent_cmd values(Processes.user) as user from datamodel=Endpoint.Processes where (Processes.parent_process_name IN ("python","python3","python.exe","python3.exe","uvicorn","uvicorn.exe") AND Processes.parent_process IN ("*a2a-server.py*","*praisonai*","*praisonaiagents*","*a2a.py*")) (Processes.process_name IN ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe","curl","wget","nc","ncat","socat","whoami","id","uname","hostname","cat","env","printenv") OR Processes.process IN ("*os.system*","*subprocess.*","*__import__*","*compile(*","*exec(*","*open('/etc/passwd*","*open(\"/etc/passwd*")) by Processes.dest Processes.parent_process_name Processes.parent_process Processes.process_name Processes.process Processes.user | `drop_dm_object_name(Processes)` ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(7d) | where InitiatingProcessFileName in~ ("python.exe","python3.exe","python","python3","uvicorn.exe","uvicorn") | where InitiatingProcessCommandLine has_any ("a2a-server.py","praisonai","praisonaiagents","a2a.py") or InitiatingProcessParentFileName in~ ("uvicorn","uvicorn.exe") | where FileName in~ ("sh","bash","dash","zsh","cmd.exe","powershell.exe","pwsh.exe", "curl","curl.exe","wget","wget.exe","nc","ncat","socat", "whoami","whoami.exe","id","uname","hostname","hostname.exe", "cat","env","printenv","net.exe","net1.exe","ipconfig.exe","ifconfig") or ProcessCommandLine has_any ("/etc/passwd","/etc/shadow","~/.aws/credentials","~/.ssh/id_", "GEMINI_API_KEY","OPENAI_API_KEY","ANTHROPIC_API_KEY", "official-a2a-example-real-llm-canary") | project Timestamp, DeviceName, AccountName, ParentImage = InitiatingProcessFolderPath, ParentCmd = InitiatingProcessCommandLine, ChildImage = FolderPath, ChildCmd = ProcessCommandLine, SHA256, ReportId | order by Timestamp desc ``` ### PraisonAI A2A example server started with vulnerable 0.0.0.0 bind and no auth_token `UC_165_4` · phase: **install** · confidence: **Medium** · AI-generated for this article **Splunk SPL (CIM):** ```spl | tstats `summariesonly` count min(_time) as firstTime max(_time) as lastTime values(Processes.process) as cmdline values(Processes.parent_process) as parent_cmd values(Processes.user) as user from datamodel=Endpoint.Processes where Processes.process_name IN ("python","python3","python.exe","python3.exe","uvicorn","uvicorn.exe") AND (Processes.process IN ("*a2a-server.py*","*praisonaiagents*a2a*","*A2A(*") OR Processes.process IN ("*uvicorn.run*0.0.0.0*8000*","*--host*0.0.0.0*")) by Processes.dest Processes.process_name Processes.process Processes.parent_process_name Processes.user | `drop_dm_object_name(Processes)` | search cmdline="*a2a*" OR cmdline="*praisonai*" ``` **Defender KQL:** ```kql DeviceProcessEvents | where Timestamp > ago(30d) | where FileName in~ ("python.exe","python3.exe","python","python3","uvicorn.exe","uvicorn") | where ProcessCommandLine has_any ("a2a-server.py","praisonaiagents","praisonai") or (ProcessCommandLine has "A2A" and ProcessCommandLine has "serve") | extend BindsAllInterfaces = ProcessCommandLine has_any ("0.0.0.0","--host 0.0.0.0") | extend ConfiguresAuth = ProcessCommandLine has_any ("auth_token","AUTH_TOKEN") | where BindsAllInterfaces == true or ConfiguresAuth == false | summarize FirstSeen = min(Timestamp), LastSeen = max(Timestamp), Hits = count(), AnyCmd = any(ProcessCommandLine), AnyParent = any(InitiatingProcessCommandLine) by DeviceName, AccountName, FileName | order by LastSeen desc ``` ### Article-specific behavioural hunt — [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official examp `UC_165_1` · phase: **exploit** · confidence: **High** **Splunk SPL (CIM):** ```spl ``` Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official examp ``` | tstats `summariesonly` count earliest(_time) AS firstTime latest(_time) AS lastTime from datamodel=Endpoint.Processes where (Processes.process_name IN ("server.py","official-a2a-example-real-llm-canary.py","a2a-server.py")) by Processes.dest, Processes.user, Processes.process_name, Processes.process, Processes.parent_process_name, Processes.process_path | `drop_dm_object_name(Processes)` | `security_content_ctime(firstTime)` | append [ | tstats `summariesonly` count from datamodel=Endpoint.Filesystem where Filesystem.action IN ("created","modified") AND (Filesystem.file_path="*/home/employees/fox-linux-qa-002/work/inbox/PraisonAI/examples/python/a2a/a2a-server.py*" OR Filesystem.file_path="*/home/employees/fox-linux-qa-002/work/out/official-a2a-example-real-llm-canary.txt*" OR Filesystem.file_path="*/usr/bin/env*" OR Filesystem.file_path="*/home/employees/fox-linux-qa-002/work/out/official-a2a-example-http-eval-canary.txt*" OR Filesystem.file_name IN ("server.py","official-a2a-example-real-llm-canary.py","a2a-server.py")) by Filesystem.dest, Filesystem.user, Filesystem.process_name, Filesystem.file_path, Filesystem.file_name | `drop_dm_object_name(Filesystem)` ] ``` **Defender KQL:** ```kql // Article-specific bespoke detection — [GHSA / CRITICAL] CVE-2026-47391: PraisonAI's unauthenticated A2A official examp // Hunts the actual binaries / paths / commandline fragments named // in the article instead of a generic technique-class template. DeviceProcessEvents | where Timestamp > ago(30d) | where (FileName in~ ("server.py", "official-a2a-example-real-llm-canary.py", "a2a-server.py")) | project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc // File-creation events for the named binaries / paths DeviceFileEvents | where Timestamp > ago(30d) | where ActionType in ("FileCreated","FileModified") | where (FolderPath has_any ("/home/employees/fox-linux-qa-002/work/inbox/PraisonAI/examples/python/a2a/a2a-server.py", "/home/employees/fox-linux-qa-002/work/out/official-a2a-example-real-llm-canary.txt", "/usr/bin/env", "/home/employees/fox-linux-qa-002/work/out/official-a2a-example-http-eval-canary.txt") or FileName in~ ("server.py", "official-a2a-example-real-llm-canary.py", "a2a-server.py")) | project Timestamp, DeviceName, AccountName, FolderPath, FileName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine | order by Timestamp desc ``` ### IOC-driven hunts (use shared templates) These are standard IOC-substitution hunts — the canonical SPL and KQL live once in [`_TEMPLATES.md`](../_TEMPLATES.md), so we don't repeat the same boilerplate on every CVE / hash / network-IOC briefing. - **Asset exposure — vulnerability matches article CVE(s)** ([template](../_TEMPLATES.md#asset-exposure)) — phase: **recon**, confidence: **High** - CVE(s): `CVE-2026-47391` ## Why this matters Severity classified as **CRIT** based on: CVE present, 5 use case(s) fired, 5 technique(s) inferred. Read the full article for actor attribution, tooling details, and any defanged IOCs in the body that aren't visible in the RSS summary.