GHSA-5qw8-f2g9-ff29: PraisonAI recipe serve Typer command bypasses the non-localhost authentication guard

PraisonAI’s installed console entrypoint is Typer-first. In current releases, the recipe command is registered in the Typer app and praisonai recipe serve dispatches to the deprecated Typer command in src/praisonai/praisonai/cli/commands/recipe.py.

That Typer command can start the Recipe HTTP server on a non-localhost interface with no authentication:

praisonai recipe serve --host 0.0.0.0 --admin

It prints a deprecation warning, then launches the server with:

{
"host": "0.0.0.0",
"config": {
"cors_origins": "*",
"enable_admin": true
}
}

Because config.auth is absent, create_app() does not attach the API-key or JWT middleware. Unauthenticated requests can then reach the recipe API and, when enabled, /admin/reload.

This is an incomplete hardening / sibling-callsite issue. The legacy feature handler in src/praisonai/praisonai/cli/features/recipe.py rejects the same non-localhost/no-auth combination, and current create_auth_middleware() now fails closed if API-key/JWT auth is selected without a secret. The installed Typer command bypasses both expectations by never requiring or setting auth.