CVE-2026-40116
published 2026-04-09CVE-2026-40116: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.37%
29.1th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 0 < 4.5.128 | 4.5.128 |
| praison | praisonai | < 4.5.128 | 4.5.128 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
ghsa·2026-04-10
CVE-2026-40116 [HIGH] CWE-770 PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
## Summary
The `/media-stream` WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits.
## Details
The vulnerability exists in `src/praisonai/praisonai/api/call.py`. The FastAPI application defines a WebSocket endpoint at line 108 with no authentication middleware, no Twilio request signature validation, and no rate limiting:
VulDB
MervinPraison PraisonAI up to 4.5.127 WebSocket Endpoint /media-stream allocation of resources (GHSA-q5r4-47m9-5mc7)
vuldb·2026-04-10·CVSS 7.5
CVE-2026-40116 [HIGH] MervinPraison PraisonAI up to 4.5.127 WebSocket Endpoint /media-stream allocation of resources (GHSA-q5r4-47m9-5mc7)
A vulnerability was found in MervinPraison PraisonAI up to 4.5.127. It has been rated as problematic. This vulnerability affects unknown code of the file /media-stream of the component WebSocket Endpoint. This manipulation causes allocation of resources.
This vulnerability is registered as CVE-2026-40116. Remote exploitation of the attack is possible. No exploit is available.
Upgrading the affected component is advised.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-09
Published