CVE-2026-34952
published 2026-04-03CVE-2026-34952: PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology…
PriorityP358critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
0.44%
35.5th percentile
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.97 | 4.5.97 |
| mervinpraison | praisonai | >= 0 < 4.5.115 | 4.5.115 |
| mervinpraison | praisonai | >= 0 < 4.5.97 | 4.5.97 |
| praison | praisonai | < 4.5.97 | 4.5.97 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
osv·2026-04-08·CVSS 9.1
CVE-2026-39889 [CRITICAL] PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
- GET /a2u/info — exposes server info and stream names
- POST /a2u/subscribe — creates event stream subscription
- GET /a2u/events/{stream_name} — streams ALL agent events
- GET /a2u/events/sub/{id} — streams events for subscription
- GET /a2u/health — health check
An unauthenticated attacker can:
1. POST /a2u/subscribe → receive subscription_id
2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream
of a
GHSA
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
ghsa·2026-04-08·CVSS 9.1
CVE-2026-39889 [CRITICAL] CWE-200 PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
- GET /a2u/info — exposes server info and stream names
- POST /a2u/subscribe — creates event stream subscription
- GET /a2u/events/{stream_name} — streams ALL agent events
- GET /a2u/events/sub/{id} — streams events for subscription
- GET /a2u/health — health check
An unauthenticated attacker can:
1. POST /a2u/subscribe → receive subscription_id
2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream
of a
OSV
PraisonAI Has Missing Authentication in WebSocket Gateway
osv·2026-04-01
CVE-2026-34952 [CRITICAL] PraisonAI Has Missing Authentication in WebSocket Gateway
PraisonAI Has Missing Authentication in WebSocket Gateway
### Summary
The PraisonAI Gateway server accepts WebSocket connections at `/ws` and serves agent topology at `/info` with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets.
### Details
`gateway/server.py:242` (source) -> `gateway/server.py:250` (sink)
```python
# source -- /info leaks all agent IDs with no auth
async def info(request):
return JSONResponse({
"agents": list(self._agents.keys()),
"sessions": len(self._sessions),
"clients": len(self._clients),
})
# sink -- WebSocket accepted unconditionally, no token check
async def websocket_endpoint(websocket: WebSocket):
await websocket.accept()
client_id = str(uuid.uuid4())
self._clients[cli
GHSA
PraisonAI Has Missing Authentication in WebSocket Gateway
ghsa·2026-04-01
CVE-2026-34952 [CRITICAL] CWE-306 PraisonAI Has Missing Authentication in WebSocket Gateway
PraisonAI Has Missing Authentication in WebSocket Gateway
### Summary
The PraisonAI Gateway server accepts WebSocket connections at `/ws` and serves agent topology at `/info` with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets.
### Details
`gateway/server.py:242` (source) -> `gateway/server.py:250` (sink)
```python
# source -- /info leaks all agent IDs with no auth
async def info(request):
return JSONResponse({
"agents": list(self._agents.keys()),
"sessions": len(self._sessions),
"clients": len(self._clients),
})
# sink -- WebSocket accepted unconditionally, no token check
async def websocket_endpoint(websocket: WebSocket):
await websocket.accept()
client_id = str(uuid.uuid4())
self._clients[cli
No detection rules found.
No public exploits indexed.
2026-04-03
Published