{"url":"http://public2.vulnerablecode.io/api/packages/1003016?format=json","purl":"pkg:pypi/praisonaiagents@1.5.130","type":"pypi","namespace":"","name":"praisonaiagents","version":"1.5.130","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.6.37","latest_non_vulnerable_version":"1.6.40","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67832?format=json","vulnerability_id":"VCID-3krq-de6x-cbdq","summary":"PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks. This issue has been patched in version 1.6.32.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44335","reference_id":"","reference_type":"","scores":[{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18993","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.1897","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18811","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00059","scoring_system":"epss","scoring_elements":"0.18974","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44335"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44335","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44335"},{"reference_url":"https://github.com/advisories/GHSA-q9pw-vmhh-384g","reference_id":"GHSA-q9pw-vmhh-384g","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-q9pw-vmhh-384g"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q9pw-vmhh-384g","reference_id":"GHSA-q9pw-vmhh-384g","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.7","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T14:46:06Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q9pw-vmhh-384g"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/376085?format=json","purl":"pkg:pypi/praisonaiagents@1.6.32","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-gnv9-my7f-e7dc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.6.32"}],"aliases":["CVE-2026-44335","GHSA-q9pw-vmhh-384g"],"risk_score":4.4,"exploitability":"0.5","weighted_severity":"8.8","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-3krq-de6x-cbdq"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84333?format=json","vulnerability_id":"VCID-5bh1-sfdc-ufcv","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40289","reference_id":"","reference_type":"","scores":[{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22556","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22539","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.2235","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00073","scoring_system":"epss","scoring_elements":"0.22543","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40289"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40289","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40289"},{"reference_url":"https://github.com/advisories/GHSA-8x8f-54wf-vv92","reference_id":"GHSA-8x8f-54wf-vv92","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8x8f-54wf-vv92"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92","reference_id":"GHSA-8x8f-54wf-vv92","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T20:18:27Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373699?format=json","purl":"pkg:pypi/praisonaiagents@1.5.140","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3krq-de6x-cbdq"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.5.140"}],"aliases":["CVE-2026-40289","GHSA-8x8f-54wf-vv92"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-5bh1-sfdc-ufcv"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359772?format=json","vulnerability_id":"VCID-ah47-vxsb-1qfa","summary":"PraisonAI: Coarse-Grained Tool Approval Cache Bypasses Per-Invocation Consent for Shell Commands\n## Summary\n\nThe approval system in PraisonAI Agents caches tool approval decisions by tool name only, not by invocation arguments. Once a user approves `execute_command` for any command (e.g., `ls -la`), all subsequent `execute_command` calls in that execution context bypass the approval prompt entirely. Combined with `os.environ.copy()` passing all process environment variables to subprocesses, this allows an LLM agent (potentially via prompt injection) to silently exfiltrate API keys and credentials without further user consent.\n\n## Details\n\nThe `require_approval` decorator in `src/praisonai-agents/praisonaiagents/approval/__init__.py:176-178` checks approval status by tool name only:\n\n```python\n@wraps(func)\ndef wrapper(*args, **kwargs):\n if is_already_approved(tool_name): # line 177 — checks only tool_name\n return func(*args, **kwargs) # line 178 — bypasses ALL approval\n```\n\nThe `mark_approved` function in `registry.py:144-147` stores only the tool name string:\n\n```python\ndef mark_approved(self, tool_name: str) -> None:\n approved = self._approved_context.get(set())\n approved.add(tool_name) # stores \"execute_command\", not args\n self._approved_context.set(approved)\n```\n\nThe approval context is never cleared during agent execution — `clear_approved()` exists (`registry.py:152`) but is never called in the agent's tool execution path (`agent/tool_execution.py`).\n\nMeanwhile, the `ConsoleBackend` UI at `backends.py:95-96` misleads the user:\n\n```python\nreturn Confirm.ask(\n f\"Do you want to execute this {request.risk_level} risk tool?\",\n # \"this\" implies per-invocation approval\n)\n```\n\nThe UI displays the specific command arguments (lines 81-85), creating a reasonable expectation that the user is approving only that specific invocation.\n\nAdditionally, `shell_tools.py:77` passes the full process environment to every subprocess:\n\n```python\nprocess_env = os.environ.copy() # includes OPENAI_API_KEY, etc.\n```\n\nThere is no command filtering, blocklist, or environment variable sanitization in the shell tools module.\n\n## PoC\n\n```python\nfrom praisonaiagents import Agent\nfrom praisonaiagents.tools.shell_tools import execute_command\n\n# Step 1: Create agent with shell tool\nagent = Agent(\n name=\"worker\",\n instructions=\"You are a helpful assistant.\",\n tools=[execute_command]\n)\n\n# Step 2: Agent requests benign command — user sees Rich panel:\n# Function: execute_command\n# Risk Level: CRITICAL\n# Arguments:\n# command: ls -la\n# \"Do you want to execute this critical risk tool?\" [y/N]\n# User approves → mark_approved(\"execute_command\") is called\n\n# Step 3: All subsequent execute_command calls bypass approval silently:\n# execute_command(command=\"env\")\n# → returns ALL environment variables (OPENAI_API_KEY, AWS_SECRET_ACCESS_KEY, etc.)\n# → NO approval prompt shown\n\n# Step 4: Targeted extraction also bypasses approval:\n# execute_command(command=\"printenv OPENAI_API_KEY\")\n# → returns the specific API key\n# → NO approval prompt shown\n\n# Verification: check the approval cache\nfrom praisonaiagents.approval import is_already_approved\n# After approving \"ls -la\":\n# is_already_approved(\"execute_command\") → True\n# Any execute_command call now returns immediately at __init__.py:177-178\n```\n\n## Impact\n\n- **Secret exfiltration**: An LLM agent (or one subjected to prompt injection) can dump all process environment variables after a single benign command approval. Common secrets include `OPENAI_API_KEY`, `AWS_SECRET_ACCESS_KEY`, `DATABASE_URL`, and any other credentials passed via environment.\n- **Misleading consent UI**: The console prompt displays specific arguments and uses language (\"this tool\") that implies per-invocation consent, but the system grants session-wide blanket approval.\n- **No expiration or scope**: The approval cache uses a `ContextVar` that persists for the entire agent execution context with no timeout, no command-count limit, and no clearing between tool calls.\n- **No environment filtering**: `os.environ.copy()` passes every environment variable to subprocesses without filtering sensitive patterns.\n\n## Recommended Fix\n\n1. **Per-invocation approval for critical tools** — store a hash of `(tool_name, arguments)` instead of just `tool_name`, or require re-approval for each invocation of critical-risk tools:\n\n```python\n# In registry.py — change mark_approved/is_already_approved:\nimport hashlib, json\n\ndef mark_approved(self, tool_name: str, arguments: dict = None) -> None:\n approved = self._approved_context.get(set())\n risk = self._risk_levels.get(tool_name)\n if risk == \"critical\" and arguments:\n key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n else:\n key = tool_name\n approved.add(key)\n self._approved_context.set(approved)\n\ndef is_already_approved(self, tool_name: str, arguments: dict = None) -> bool:\n approved = self._approved_context.get(set())\n risk = self._risk_levels.get(tool_name)\n if risk == \"critical\" and arguments:\n key = f\"{tool_name}:{hashlib.sha256(json.dumps(arguments, sort_keys=True).encode()).hexdigest()}\"\n return key in approved\n return tool_name in approved\n```\n\n2. **Filter environment variables** in `shell_tools.py`:\n\n```python\nSENSITIVE_PATTERNS = ('_KEY', '_SECRET', '_TOKEN', '_PASSWORD', '_CREDENTIAL')\n\nprocess_env = {\n k: v for k, v in os.environ.items()\n if not any(p in k.upper() for p in SENSITIVE_PATTERNS)\n}\nif env:\n process_env.update(env)\n```","references":[{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3","reference_id":"","reference_type":"","scores":[{"value":"5.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-ffp3-3562-8cv3"},{"reference_url":"https://github.com/advisories/GHSA-ffp3-3562-8cv3","reference_id":"GHSA-ffp3-3562-8cv3","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-ffp3-3562-8cv3"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373395?format=json","purl":"pkg:pypi/praisonaiagents@4.5.128","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@4.5.128"}],"aliases":["GHSA-ffp3-3562-8cv3"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ah47-vxsb-1qfa"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84243?format=json","vulnerability_id":"VCID-dwef-8k3v-jfb6","summary":"PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the workflow engine is vulnerable to arbitrary command and code execution through untrusted YAML files. When praisonai workflow run loads a YAML file with type: job, the JobWorkflowExecutor in job_workflow.py processes steps that support run: (shell commands via subprocess.run()), script: (inline Python via exec()), and python: (arbitrary Python script execution)—all without any validation, sandboxing, or user confirmation. The affected code paths include action_run() in workflow.py and _exec_shell(), _exec_inline_python(), and _exec_python_script() in job_workflow.py. An attacker who can supply or influence a workflow YAML file (particularly in CI pipelines, shared repositories, or multi-tenant deployment environments) can achieve full arbitrary command execution on the host system, compromising the machine and any accessible data or credentials. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40288","reference_id":"","reference_type":"","scores":[{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34232","published_at":"2026-06-12T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34235","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34056","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00141","scoring_system":"epss","scoring_elements":"0.34256","published_at":"2026-06-13T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40288"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40288","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40288"},{"reference_url":"https://github.com/advisories/GHSA-vc46-vw85-3wvm","reference_id":"GHSA-vc46-vw85-3wvm","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vc46-vw85-3wvm"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm","reference_id":"GHSA-vc46-vw85-3wvm","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-04-14T15:56:49Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-vc46-vw85-3wvm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373699?format=json","purl":"pkg:pypi/praisonaiagents@1.5.140","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3krq-de6x-cbdq"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.5.140"}],"aliases":["CVE-2026-40288","GHSA-vc46-vw85-3wvm"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dwef-8k3v-jfb6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/84338?format=json","vulnerability_id":"VCID-ekcf-zxgu-8yh1","summary":"PraisonAI is a multi-agent teams system. Versions 4.5.138 and below are vulnerable to arbitrary code execution through automatic, unsanitized import of a tools.py file from the current working directory. Components including call.py (import_tools_from_file()), tool_resolver.py (_load_local_tools()), and CLI tool-loading paths blindly import ./tools.py at startup without any validation, sandboxing, or user confirmation. An attacker who can place a malicious tools.py in the directory where PraisonAI is launched (such as through a shared project, cloned repository, or writable workspace) achieves immediate arbitrary Python code execution in the host environment. This compromises the full PraisonAI process, the host system, and any connected data or credentials. This issue has been fixed in version 4.5.139.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40287","reference_id":"","reference_type":"","scores":[{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01882","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01869","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01873","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00012","scoring_system":"epss","scoring_elements":"0.01871","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-40287"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.139"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40287","reference_id":"","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-40287"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc","reference_id":"GHSA-g985-wjh9-qxxc","reference_type":"","scores":[{"value":"8.4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-14T13:23:23Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-g985-wjh9-qxxc"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373699?format=json","purl":"pkg:pypi/praisonaiagents@1.5.140","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3krq-de6x-cbdq"},{"vulnerability":"VCID-gnv9-my7f-e7dc"},{"vulnerability":"VCID-vuwr-p2ef-w3ay"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.5.140"}],"aliases":["CVE-2026-40287","GHSA-g985-wjh9-qxxc"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ekcf-zxgu-8yh1"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/67772?format=json","vulnerability_id":"VCID-gnv9-my7f-e7dc","summary":"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37, praisonaiagents resolves unresolved tool names against module globals and __main__ after it fails to match the declared tool list and the registry. With the default agent configuration, _perm_allow is None, so undeclared non-dangerous tool names are not rejected by the permission gate. An attacker who can influence tool-call names can therefore invoke unintended application callables that were never declared as tools. This issue has been patched in praisonai version 4.6.37 and praisonaiagents version 1.6.37.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44339","reference_id":"","reference_type":"","scores":[{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12817","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12732","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12835","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00041","scoring_system":"epss","scoring_elements":"0.12826","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44339"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44339","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44339"},{"reference_url":"https://github.com/advisories/GHSA-gmjg-hv98-qggq","reference_id":"GHSA-gmjg-hv98-qggq","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-gmjg-hv98-qggq"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq","reference_id":"GHSA-gmjg-hv98-qggq","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-08T17:03:56Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-gmjg-hv98-qggq"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/375914?format=json","purl":"pkg:pypi/praisonaiagents@1.6.37","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.6.37"}],"aliases":["CVE-2026-44339","GHSA-gmjg-hv98-qggq"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-gnv9-my7f-e7dc"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/359945?format=json","vulnerability_id":"VCID-mymr-xpdd-xues","summary":"PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint\n## Summary\n\nThe AGUI endpoint (`POST /agui`) has no authentication and hardcodes `Access-Control-Allow-Origin: *` on all responses. Combined with Starlette/FastAPI's Content-Type-agnostic JSON parsing, any website a victim visits can silently trigger arbitrary agent execution against a locally-running AGUI server and read the full response, including tool execution results and potentially sensitive data from the victim's environment.\n\n## Details\n\nThe vulnerability is a combination of three issues in `src/praisonai-agents/praisonaiagents/ui/agui/agui.py`:\n\n**1. No authentication (line 124-125):**\n```python\n@router.post(\"/agui\")\nasync def run_agent_agui(run_input: RunAgentInput):\n```\nThe endpoint accepts any request. `RunAgentInput` (defined in `types.py:159-165`) has no auth token, API key, or session validation field. No middleware or dependencies are attached to the router (line 111).\n\n**2. Hardcoded wildcard CORS (line 131-141):**\n```python\nreturn StreamingResponse(\n event_generator(),\n media_type=\"text/event-stream\",\n headers={\n \"Cache-Control\": \"no-cache\",\n \"Connection\": \"keep-alive\",\n \"Access-Control-Allow-Origin\": \"*\",\n \"Access-Control-Allow-Methods\": \"POST, GET, OPTIONS\",\n \"Access-Control-Allow-Headers\": \"*\",\n },\n)\n```\nThe `Access-Control-Allow-Origin: *` header is hardcoded in the library code. Library consumers cannot override this without patching the source.\n\n**3. CORS preflight bypass via Starlette's Content-Type-agnostic parsing:**\nStarlette's `Request.json()` (used internally by FastAPI for Pydantic body models) calls `json.loads(await self.body())` without verifying that `Content-Type` is `application/json`. A browser POST with `Content-Type: text/plain` is classified as a CORS \"simple request\" per the Fetch specification — no preflight OPTIONS request is sent. Since the JSON body is still parsed successfully, the request executes normally.\n\n**Attack flow:**\n1. Victim runs an AGUI server locally (the documented usage pattern per the class docstring at lines 42-50)\n2. Victim visits an attacker-controlled website\n3. Attacker's JavaScript sends `POST` to `http://localhost:8000/agui` with `Content-Type: text/plain` containing a JSON body — this is a simple request, no preflight\n4. FastAPI parses the JSON body into `RunAgentInput`, the agent executes with full tool capabilities\n5. The streaming response includes `Access-Control-Allow-Origin: *`, so the browser permits the attacker's JavaScript to read the response\n6. Attacker exfiltrates the agent's output, including any tool execution results\n\n## PoC\n\n**Prerequisites:** A locally running AGUI server (the default setup from documentation):\n\n```python\n# server.py - standard AGUI setup\nfrom praisonaiagents import Agent\nfrom praisonaiagents.ui.agui import AGUI\nfrom fastapi import FastAPI\nimport uvicorn\n\nagent = Agent(name=\"Assistant\", role=\"Helper\", goal=\"Help users\")\nagui = AGUI(agent=agent)\napp = FastAPI()\napp.include_router(agui.get_router())\nuvicorn.run(app, host=\"0.0.0.0\", port=8000)\n```\n\n**Exploit (runs on any website the victim visits):**\n\n```html\n\n```\n\n**Expected result:** The agent executes the attacker's prompt with whatever tools are configured (file access, code execution, API calls), and the full streamed response is readable by the attacker's JavaScript due to the wildcard CORS header.\n\n## Impact\n\n- **Remote code/tool execution**: Any website can trigger agent execution on a victim's local machine with the full permissions of the server process and all configured agent tools\n- **Data exfiltration**: Agent responses (including tool outputs like file contents, command results, API responses) are readable cross-origin due to the wildcard CORS header\n- **No user awareness**: The attack is silent — no browser prompts, no visible indicators. The victim only needs to have the AGUI server running and visit a malicious page\n- **Blast radius**: Impact depends on the agent's configured tools but can include filesystem access, environment variable exposure, network requests from the victim's machine, and arbitrary code execution if code-execution tools are enabled\n\n## Recommended Fix\n\n**1. Remove the hardcoded wildcard CORS headers and make CORS configurable:**\n\n```python\ndef __init__(\n self,\n agent: Optional[\"Agent\"] = None,\n agents: Optional[\"Agents\"] = None,\n name: Optional[str] = None,\n description: Optional[str] = None,\n prefix: str = \"\",\n tags: Optional[List[str]] = None,\n allowed_origins: Optional[List[str]] = None, # NEW\n):\n # ...\n self.allowed_origins = allowed_origins or []\n```\n\n**2. Remove CORS headers from the StreamingResponse** and let consumers configure CORS via FastAPI's `CORSMiddleware` with specific origins:\n\n```python\nreturn StreamingResponse(\n event_generator(),\n media_type=\"text/event-stream\",\n headers={\n \"Cache-Control\": \"no-cache\",\n \"Connection\": \"keep-alive\",\n },\n)\n```\n\n**3. Add a Content-Type check** as defense-in-depth to prevent simple-request CORS bypass:\n\n```python\nfrom fastapi import Request, HTTPException\n\n@router.post(\"/agui\")\nasync def run_agent_agui(request: Request, run_input: RunAgentInput):\n content_type = request.headers.get(\"content-type\", \"\")\n if \"application/json\" not in content_type:\n raise HTTPException(status_code=415, detail=\"Content-Type must be application/json\")\n # ... rest of handler\n```\n\n**4. Add authentication support** (e.g., an API key or bearer token dependency on the router) so that cross-origin requests without valid credentials are rejected.","references":[{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4"},{"reference_url":"https://github.com/advisories/GHSA-x462-jjpc-q4q4","reference_id":"GHSA-x462-jjpc-q4q4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x462-jjpc-q4q4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/373395?format=json","purl":"pkg:pypi/praisonaiagents@4.5.128","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@4.5.128"}],"aliases":["GHSA-x462-jjpc-q4q4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mymr-xpdd-xues"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/80695?format=json","vulnerability_id":"VCID-vuwr-p2ef-w3ay","summary":"PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.9 and praisonaiagents version 1.6.9, the fix for CVE-2026-40315 added input validation to SQLiteConversationStore only. Nine sibling backends — MySQL, PostgreSQL, async SQLite/MySQL/PostgreSQL, Turso, SingleStore, Supabase, SurrealDB — pass table_prefix straight into f-string SQL. Same root cause, same code pattern, same exploitation. 52 unvalidated injection points across the codebase. postgres.py additionally accepts an unvalidated schema parameter used directly in DDL. This issue has been patched in praisonai version 4.6.9 and praisonaiagents version 1.6.9.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41496","reference_id":"","reference_type":"","scores":[{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03658","published_at":"2026-06-14T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03635","published_at":"2026-06-11T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03644","published_at":"2026-06-13T12:55:00Z"},{"value":"0.00016","scoring_system":"epss","scoring_elements":"0.03651","published_at":"2026-06-12T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-41496"},{"reference_url":"https://github.com/MervinPraison/PraisonAI","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/MervinPraison/PraisonAI"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41496","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-41496"},{"reference_url":"https://github.com/advisories/GHSA-rg3h-x3jw-7jm5","reference_id":"GHSA-rg3h-x3jw-7jm5","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-rg3h-x3jw-7jm5"},{"reference_url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5","reference_id":"GHSA-rg3h-x3jw-7jm5","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T23:17:23Z/"}],"url":"https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-rg3h-x3jw-7jm5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/374208?format=json","purl":"pkg:pypi/praisonaiagents@1.6.8","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-3krq-de6x-cbdq"},{"vulnerability":"VCID-gnv9-my7f-e7dc"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.6.8"}],"aliases":["CVE-2026-41496","GHSA-rg3h-x3jw-7jm5"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-vuwr-p2ef-w3ay"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:pypi/praisonaiagents@1.5.130"}