What is the CVSS score of CVE-2026-40149?

CVE-2026-40149 has a CVSS 3.1 base score of 7.9 (High). CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Praisonai are affected by CVE-2026-40149?

PraisonAI versions prior to 4.5.128 contain a high-severity vulnerability allowing attackers with local access to bypass critical safety controls by modifying tool approval settings, potentially…. A patch is available.

How to fix or mitigate CVE-2026-40149?

Within 24 hours: Identify all PraisonAI deployments and confirm installed versions; isolate any instances running versions prior to 4.5.128 from untrusted local access. Within 7 days: Implement strict network access controls restricting access to /api/approval/allow-list endpoint to trusted administrators only; enable audit logging of all approval allowlist modifications. Within 30 days: Contact PraisonAI vendor to determine if patch version 4.5.128 or later is available and applicable to your deployment; evaluate upgrade feasibility and deploy patched version.

Praisonai CVE-2026-40149

EUVD-2026-21168 HIGH

Declaration of Catch for Generic Exception (CWE-396)

2026-04-09 GitHub_M

GHSA-4wr3-f4p3-5wjh

Authentication Bypass Praisonai

7.9

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

7.9 HIGH

AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 20, 2026 - 20:07 vuln.today

cvss_changed

Patch released

Apr 10, 2026 - 20:30 nvd

Patch available

EUVD ID Assigned

Apr 09, 2026 - 21:45 euvd

EUVD-2026-21168

Analysis Generated

Apr 09, 2026 - 21:45 vuln.today

CVE Published

Apr 09, 2026 - 21:23 nvd

HIGH 7.9

DescriptionGitHub Advisory

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.

AnalysisAI

Unauthenticated modification of the tool approval allowlist in PraisonAI multi-agent system (versions prior to 4.5.128) enables attackers to bypass human-in-the-loop safety controls by injecting dangerous tool names (shell_exec, file_write) into the allowlist via the /api/approval/allow-list gateway endpoint. The ExecApprovalManager then auto-approves agent invocations of these tools, circumventing the approval mechanism's core security function. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Send unauthenticated request to /api/approval/allow-list endpoint

Exploit

Add dangerous tool names to allowlist

Execution

ExecApprovalManager auto-approves tool invocations

Impact

Bypass human-in-the-loop safety mechanism

Access

Send unauthenticated request to /api/approval/allow-list endpoint

Exploit

Add dangerous tool names to allowlist

Execution

ExecApprovalManager auto-approves tool invocations

Impact

Bypass human-in-the-loop safety mechanism

Vulnerability AssessmentAI

Exploitation	PraisonAI versions prior to 4.5.128 with default configuration (no auth_token configured). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	Local unauthenticated access to gateway endpoint permits direct allowlist manipulation, bypassing safety controls for dangerous tool execution. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	Attacker with local access sends unauthenticated POST to /api/approval/allow-list, adding 'shell_exec' to allowlist. Subsequent agent requests for shell execution auto-approve without human review, enabling arbitrary command execution. …
Remediation	Vendor-released patch: upgrade to PraisonAI version 4.5.128 or later, which enforces authentication requirements on the /api/approval/allow-list endpoint. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all PraisonAI deployments and confirm installed versions; isolate any instances running versions prior to 4.5.128 from untrusted local access. …

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-40149 vulnerability details – vuln.today

Back

Praisonai CVE-2026-40149

Severity by source

CVSS VectorGitHub Advisory

Lifecycle Timeline

DescriptionGitHub Advisory

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

Share

External POC / Exploit Code