Skip to main content

PraisonAI CVE-2026-56076

| EUVDEUVD-2026-37960 HIGH
Permissive Cross-domain Security Policy with Untrusted Domains (CWE-942)
2026-06-18 VulnCheck GHSA-5fr5-2c3f-3fcr
8.6
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Network-reachable endpoint with no auth (AV:N, PR:N); victim must browse attacker page (UI:R); agent execution and data read yield C:H/I:H; no availability impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Patch available
Jun 19, 2026 - 02:01 EUVD
Source Code Evidence Fetched
Jun 18, 2026 - 23:17 vuln.today
Analysis Generated
Jun 18, 2026 - 23:17 vuln.today

DescriptionCVE.org

PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.

AnalysisAI

Cross-origin agent execution in PraisonAI's AGUI endpoint allows any attacker-controlled website to silently invoke locally-running agents and exfiltrate their streaming responses, including tool execution results and sensitive environment data. The flaw stems from a triad of issues - no authentication on POST /agui, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing - that together let a simple cross-origin request bypass the browser's preflight check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Victim runs local AGUI server
Delivery
Victim visits attacker page
Exploit
JS POSTs JSON with text/plain Content-Type
Install
CORS preflight bypassed as simple request
C2
Agent executes with full tool capabilities
Execute
Wildcard CORS lets script read streamed response
Impact
Tool output and environment data exfiltrated

Vulnerability AssessmentAI

Exploitation Requires the victim to (a) be running a PraisonAI AGUI server reachable from the victim's browser (the documented localhost usage pattern is sufficient) and (b) visit an attacker-controlled web page in that same browser session - this is the UI:P (passive user interaction) factor in the CVSS 4.0 vector. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Vendor CVSS 4.0 of 8.6 (AV:N/AC:L/PR:N/UI:P/VC:H/VI:H/VA:N) accurately reflects the realistic risk: exploitation needs no authentication and no special network position, only that the victim browse an attacker page while the local AGUI server is running - the documented deployment pattern. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A developer runs PraisonAI's AGUI server locally on port 8000 to use the agent UI, then visits an attacker-controlled or compromised website in the same browser. Attacker JavaScript issues fetch('http://localhost:8000/agui', {method:'POST', headers:{'Content-Type':'text/plain'}, body: JSON.stringify(runInput)}) - the text/plain Content-Type makes it a CORS simple request, the wildcard ACAO lets the script read the streamed SSE response, and the agent executes with its full tool set, returning command output, file contents, and environment data to the attacker page.
Remediation Vendor-released patch: praisonaiagents 4.5.128 (also referenced as PraisonAI 1.5.128 in the NVD entry) - upgrade via pip install --upgrade praisonaiagents>=4.5.128 per GHSA-x462-jjpc-q4q4 at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running PraisonAI and determine which expose the AGUI endpoint to the network; audit stored environment variables and credentials for exposure risk. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-30354 HIGH POC
8.7 Apr 01

Bruno is an open source IDE for exploring and testing APIs. Rated high severity (CVSS 8.7), this vulnerability is no aut

CVE-2026-34449 CRITICAL
9.6 Mar 31

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to

CVE-2026-6662 MEDIUM POC
5.5 Apr 20

Permissive CORS policy in ericc-ch copilot-api up to version 0.7.0 allows remote attackers to access the Token Endpoint

CVE-2026-9739 CRITICAL
9.4 May 27

Cross-origin data exposure in Google's MCP Toolbox for Databases stems from the SSE initialization handler unconditional

CVE-2026-8948 CRITICAL
9.1 May 19

Same-origin policy bypass in the DOM: Networking component. This vulnerability was fixed in Firefox 151.

CVE-2026-30924 CRITICAL
9.0 Mar 19

Misconfigured CORS headers in this web application permit cross-origin requests from any domain, enabling attackers to c

CVE-2026-50088 HIGH
8.2 Jun 12

Cross-origin information disclosure in the Aqara Developer Portal (developer.aqara.com) and its shared test environments

CVE-2026-50087 HIGH
8.2 Jun 12

Cross-origin information disclosure in the Aqara IAM/SSO gateway (gw-builder.aqara.com) allows attacker-controlled web o

CVE-2025-43480 HIGH
8.1 Nov 04

The issue was addressed with improved checks. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable

CVE-2025-13019 HIGH
8.1 Nov 11

Same-origin policy bypass in the DOM: Workers component. Rated high severity (CVSS 8.1), this vulnerability is remotely

CVE-2025-13017 HIGH
8.1 Nov 11

Same-origin policy bypass in the DOM: Notifications component. Rated high severity (CVSS 8.1), this vulnerability is rem

CVE-2026-41056 HIGH
8.1 Apr 21

WWBN AVideo is an open source video platform. In versions 29.0 and below, the `allowOrigin($allowAll=true)` function in

Share

CVE-2026-56076 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy