What is the CVSS score of CVE-2026-40115?

CVE-2026-40115 has a CVSS 3.1 base score of 6.2 (Medium). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-40115?

Yes, a patch is available for CVE-2026-40115. Update the affected software to the latest version immediately.

Praisonai CVE-2026-40115

EUVD-2026-21160 MEDIUM

Allocation of Resources Without Limits or Throttling (CWE-770)

2026-04-09 GitHub_M

GHSA-2xgv-5cv2-47vv

Denial Of Service Praisonai

6.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

6.2 MEDIUM

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Lifecycle Timeline

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21160

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

CVE Published

Apr 09, 2026 - 21:19 nvd

MEDIUM 6.2

DescriptionGitHub Advisory

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (serve.py) has RequestSizeLimitMiddleware with a 10MB limit, but the WSGI server lacks any equivalent protection. This vulnerability is fixed in 4.5.128.

AnalysisAI

Memory exhaustion denial of service in PraisonAI's WSGI-based recipe registry server (server.py) affects versions prior to 4.5.128. The vulnerability allows unauthenticated local processes to send arbitrarily large POST requests by spoofing the Content-Length header, causing the server to allocate unbounded memory and crash. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate but realistically exploitable denial of service risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with local shell access to a host running PraisonAI crafts a custom HTTP POST request to the WSGI recipe registry server with a fraudulent Content-Length header claiming a payload of 10GB, then sends only a small amount of data. The WSGI server allocates memory to buffer the claimed Content-Length and enters a wait state for the remaining data, accumulating memory pressure. …
Remediation	Upgrade PraisonAI to version 4.5.128 or later, which implements request size limits in the WSGI server analogous to the RequestSizeLimitMiddleware present in the Starlette implementation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40115 vulnerability details – vuln.today

Back

Praisonai CVE-2026-40115

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Vulnerability AssessmentAI

Share

External POC / Exploit Code