CVE-2026-40151
published 2026-04-09CVE-2026-40151: PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles…
PriorityP341medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EXPLOIT
EPSS
0.76%
50.6th percentile
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=["*"] with host="0.0.0.0", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 0 < 4.5.128 | 4.5.128 |
| mervinpraison | praisonai | >= 4.2.1 < 4.6.59 | 4.6.59 |
| praison | praisonai | < 4.5.128 | 4.5.128 |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
ghsa5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
ghsa·2026-06-18·CVSS 5.3
CVE-2026-40151 [MEDIUM] CWE-200 PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
PraisonAI: AgentOS remains unauthenticated after incomplete fix version and allows remote agent invocation
# AgentOS remains unauthenticated after GHSA-pm96 patched version and allows remote agent invocation
## Summary
PraisonAI's `AgentOS` FastAPI deployment surface remains unauthenticated in
current main and in releases after the published patched version for
`GHSA-pm96-6xpr-978x` / `CVE-2026-40151`.
The public AgentOS advisory is published as an instruction-disclosure issue
with affected versions `= 4.2.1, <= 4.6.57`.
## Root Cause
`AgentOSConfig` / `AgentAppConfig` defaults the deployment host to all
interfaces and has no authentication fields:
```python
name: str = "PraisonAI App"
host: str = "0.0.0.0"
port: int = 8000
api_prefix: str = "/api"
```
`AgentOS._register_routes()`
VulDB
MervinPraison PraisonAI up to 4.5.127 /api/agents allow_origins information disclosure (GHSA-pm96-6xpr-978x)
vuldb·2026-04-10·CVSS 5.3
CVE-2026-40151 [MEDIUM] MervinPraison PraisonAI up to 4.5.127 /api/agents allow_origins information disclosure (GHSA-pm96-6xpr-978x)
A vulnerability labeled as problematic has been found in MervinPraison PraisonAI up to 4.5.127. Affected by this issue is the function allow_origins of the file /api/agents. Such manipulation leads to information disclosure.
This vulnerability is documented as CVE-2026-40151. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
ghsa·2026-04-10
CVE-2026-40151 [MEDIUM] CWE-200 PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
## Summary
The AgentOS deployment platform exposes a `GET /api/agents` endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS `allow_origins=["*"]` with `host="0.0.0.0"`, making every deployment network-accessible and queryable from any origin by default.
## Details
The `AgentOS._register_routes()` method at `src/praisonai/praisonai/app/agentos.py:118` registers all routes on a plain FastAPI app with no authentication dependencies:
```python
# agentos.py:147-160
@app.get(f"{self.config.api_prefix}/agents"
No detection rules found.
Nuclei
PraisonAI AgentOS - Information Disclosure
nuclei·CVSS 5.3
CVE-2026-40151 [MEDIUM] PraisonAI AgentOS - Information Disclosure
PraisonAI AgentOS - Information Disclosure
PraisonAI's AgentOS FastAPI application server exposes an unauthenticated `GET /api/agents` endpoint that lists every registered agent's name, role and the opening of its instructions (system prompt). No authentication is enforced on the route, allowing a remote attacker to enumerate agent configurations and harvest sensitive details embedded in system prompts, such as internal API references, business logic and credential hints. This endpoint belongs to the AgentOS FastAPI server and is distinct from the legacy Flask `/agents` server tracked as CVE-2026-44338.
Template:
id: CVE-2026-40151
info:
name: PraisonAI AgentOS - Information Disclosure
author: aryu-ru
severity: medium
description: |
PraisonAI's AgentOS FastAPI application server expose
No writeups or analysis indexed.
2026-04-09
Published