Skip to main content

PraisonAI CVE-2026-39889

| EUVDEUVD-2026-20636 HIGH
Information Exposure (CWE-200)
2026-04-08 https://github.com/MervinPraison/PraisonAI GHSA-f292-66h9-fpmf
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 09, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 08, 2026 - 19:31 euvd
EUVD-2026-20636
Analysis Generated
Apr 08, 2026 - 19:31 vuln.today
CVE Published
Apr 08, 2026 - 19:21 nvd
HIGH 7.5

DescriptionGitHub Advisory

The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.

The create_a2u_routes() function registers the following endpoints with NO authentication checks:

  • GET /a2u/info - exposes server info and stream names
  • POST /a2u/subscribe - creates event stream subscription
  • GET /a2u/events/{stream_name} - streams ALL agent events
  • GET /a2u/events/sub/{id} - streams events for subscription
  • GET /a2u/health - health check

An unauthenticated attacker can:

  1. POST /a2u/subscribe → receive subscription_id
  2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream

of all agent events including responses, tool calls, and thinking

This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker.

<img width="1512" height="947" alt="image" src="https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248" />

<img width="1512" height="571" alt="image" src="https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4" />

[1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b

[2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]}

[3] GET /a2u/health (no auth token) Status: 200 Response: {"status":"healthy","active_subscriptions":1,"active_streams":1}

Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time

AnalysisAI

Unauthenticated information disclosure in PraisonAI's A2U event stream server allows remote attackers to intercept real-time AI agent activity including responses, internal reasoning chains, and tool invocation arguments. The create_a2u_routes() function exposes five endpoints (/a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, /a2u/health) without authentication controls. Attackers subscribe via POST /a2u/subscribe to receive subscription IDs, then stream live Server-Sent Events containing sensitive agent outputs. Affects PraisonAI Python package (pkg:pip/praisonai) versions prior to 4.5.115. No public exploit identified at time of analysis.

Technical ContextAI

The vulnerability stems from missing authentication middleware in FastAPI route registration within create_a2u_routes(). All five A2U endpoints accept unauthenticated HTTP requests, violating CWE-200 (Exposure of Sensitive Information). SSE streaming endpoints return agent.thinking, agent.tool_call, and agent.response event types containing AI reasoning and execution data without identity verification, separate from the gateway authentication issue addressed in CVE-2026-34952.

RemediationAI

Vendor-released patch: upgrade to PraisonAI version 4.5.115 or later, which implements authentication controls for A2U event stream endpoints. Organizations unable to immediately upgrade should implement network-level access controls to restrict /a2u/* endpoint access to trusted IP ranges only. Deploy reverse proxy authentication (OAuth2/JWT) in front of the A2U service. Monitor logs for unauthorized POST /a2u/subscribe requests indicating reconnaissance activity. Disable A2U event streaming entirely if real-time agent monitoring is not operationally required. Vendor security advisory and release notes available at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf and https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115.

Share

CVE-2026-39889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy