CVE-2026-40151

MEDIUM

5.3

Descricao

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=["*"] with host="0.0.0.0", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.

Detalhes CVE

Pontuacao CVSS v3.15.3

SeveridadeMEDIUM

Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Vetor de ataqueNETWORK

ComplexidadeLOW

Privilegios necessariosNONE

Interacao do usuarioNONE

Publicado4/9/2026

Ultima modificacao4/20/2026

Fontenvd

Avistamentos honeypot0

Produtos afetados

praison:praisonai

Fraquezas (CWE)

CWE-200

Referencias

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x(security-advisories@github.com)

Correlacoes IOC

Sem correlacoes registradas

This product uses data from the NVD API but is not endorsed or certified by the NVD.