Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionGitHub Advisory
The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks:
- GET /a2u/info - exposes server info and stream names
- POST /a2u/subscribe - creates event stream subscription
- GET /a2u/events/{stream_name} - streams ALL agent events
- GET /a2u/events/sub/{id} - streams events for subscription
- GET /a2u/health - health check
An unauthenticated attacker can:
- POST /a2u/subscribe → receive subscription_id
- GET /a2u/events/sub/{subscription_id} → receive live SSE stream
of all agent events including responses, tool calls, and thinking
This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker.
<img width="1512" height="947" alt="image" src="https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248" />
<img width="1512" height="571" alt="image" src="https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4" />
[1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b
[2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]}
[3] GET /a2u/health (no auth token) Status: 200 Response: {"status":"healthy","active_subscriptions":1,"active_streams":1}
Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time
AnalysisAI
Unauthenticated information disclosure in PraisonAI's A2U event stream server allows remote attackers to intercept real-time AI agent activity including responses, internal reasoning chains, and tool invocation arguments. The create_a2u_routes() function exposes five endpoints (/a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, /a2u/health) without authentication controls. Attackers subscribe via POST /a2u/subscribe to receive subscription IDs, then stream live Server-Sent Events containing sensitive agent outputs. Affects PraisonAI Python package (pkg:pip/praisonai) versions prior to 4.5.115. No public exploit identified at time of analysis.
Technical ContextAI
The vulnerability stems from missing authentication middleware in FastAPI route registration within create_a2u_routes(). All five A2U endpoints accept unauthenticated HTTP requests, violating CWE-200 (Exposure of Sensitive Information). SSE streaming endpoints return agent.thinking, agent.tool_call, and agent.response event types containing AI reasoning and execution data without identity verification, separate from the gateway authentication issue addressed in CVE-2026-34952.
RemediationAI
Vendor-released patch: upgrade to PraisonAI version 4.5.115 or later, which implements authentication controls for A2U event stream endpoints. Organizations unable to immediately upgrade should implement network-level access controls to restrict /a2u/* endpoint access to trusted IP ranges only. Deploy reverse proxy authentication (OAuth2/JWT) in front of the A2U service. Monitor logs for unauthorized POST /a2u/subscribe requests indicating reconnaissance activity. Disable A2U event streaming entirely if real-time agent monitoring is not operationally required. Vendor security advisory and release notes available at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf and https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115.
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20636
GHSA-f292-66h9-fpmf