CVE-2026-39889
published 2026-04-08CVE-2026-39889: PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without…
PriorityP346high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.43%
34.1th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health. This vulnerability is fixed in 4.5.115.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.115 | 4.5.115 |
| mervinpraison | praisonai | >= 0 < 4.5.115 | 4.5.115 |
| praison | praisonai | <= 4.5.114 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
ghsa9.1CRITICAL
osv9.1CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
osv·2026-04-08·CVSS 9.1
CVE-2026-39889 [CRITICAL] PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
- GET /a2u/info — exposes server info and stream names
- POST /a2u/subscribe — creates event stream subscription
- GET /a2u/events/{stream_name} — streams ALL agent events
- GET /a2u/events/sub/{id} — streams events for subscription
- GET /a2u/health — health check
An unauthenticated attacker can:
1. POST /a2u/subscribe → receive subscription_id
2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream
of a
GHSA
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
ghsa·2026-04-08·CVSS 9.1
CVE-2026-39889 [CRITICAL] CWE-200 PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server
The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
- GET /a2u/info — exposes server info and stream names
- POST /a2u/subscribe — creates event stream subscription
- GET /a2u/events/{stream_name} — streams ALL agent events
- GET /a2u/events/sub/{id} — streams events for subscription
- GET /a2u/health — health check
An unauthenticated attacker can:
1. POST /a2u/subscribe → receive subscription_id
2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream
of a
No detection rules found.
No public exploits indexed.
2026-04-08
Published