Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable endpoint with no auth (AV:N, PR:N); victim must browse attacker page (UI:R); agent execution and data read yield C:H/I:H; no availability impact.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.
AnalysisAI
Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the victim to (a) be running a PraisonAI AGUI server reachable from the victim's browser (the documented localhost usage pattern is sufficient) and (b) visit an attacker-controlled web page in that same browser session - this is the UI:P (passive user interaction) factor in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Vendor CVSS 4.0 of 8.6 (AV:N/AC:L/PR:N/UI:P/VC:H/VI:H/VA:N) accurately reflects the realistic risk: exploitation needs no authentication and no special network position, only that the victim browse an attacker page while the local AGUI server is running - the documented deployment pattern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer runs PraisonAI's AGUI server locally on port 8000 to use the agent UI, then visits an attacker-controlled or compromised website in the same browser. Attacker JavaScript issues fetch('http://localhost:8000/agui', {method:'POST', headers:{'Content-Type':'text/plain'}, body: JSON.stringify(runInput)}) - the text/plain Content-Type makes it a CORS simple request, the wildcard ACAO lets the script read the streamed SSE response, and the agent executes with its full tool set, returning command output, file contents, and environment data to the attacker page. |
| Remediation | Vendor-released patch: praisonaiagents 4.5.128 (also referenced as PraisonAI 1.5.128 in the NVD entry) - upgrade via pip install --upgrade praisonaiagents>=4.5.128 per GHSA-x462-jjpc-q4q4 at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running PraisonAI and determine which expose the AGUI endpoint to the network; audit stored environment variables and credentials for exposure risk. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Cors Misconfiguration
View allBruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut
Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to
Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint
Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional
Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.
Misconfigured CORS headers in this web application permit cross-origin requests from any domain, enabling attackers to c
Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments
Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web o
The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable
Same-origin policy bypass in the DOM: Workers component. Rated high severity (CVSS 8.1), this vulnerability is remotely
Same-origin policy bypass in the DOM: Notifications component. Rated high severity (CVSS 8.1), this vulnerability is rem
WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37960
GHSA-5fr5-2c3f-3fcr