Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Remotely reachable default with no authentication (AV:N/AC:L/PR:N/UI:N); high confidentiality from prompt disclosure, low integrity/availability from unauthorized agent invocation and resource abuse.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication.
AnalysisAI
Unauthenticated agent access in PraisonAI before 1.7.3 lets remote attackers read agent instructions and system prompts and directly invoke agents because the server ships with insecure defaults - binding to all network interfaces (0.0.0.0), enforcing no API key, and allowing wildcard CORS. Any attacker who can reach the service can call GET /api/agents to exfiltrate proprietary prompt logic or POST /api/chat to abuse the agents without credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only network reachability to a PraisonAI instance older than 1.7.3 running its default configuration, where the server binds to all interfaces (0.0.0.0) with no API key set and wildcard CORS enabled - the vulnerable endpoints are GET /api/agents (reads agent instructions/system prompts) and POST /api/chat (invokes agents). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L) scores 8.8 and is internally consistent with the description: remote, low-complexity, no privileges, no user interaction, with high confidentiality impact (prompt/instruction disclosure) and lower integrity/availability impact (unauthorized agent invocation). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker scans for PraisonAI instances exposed on the network and sends an unauthenticated GET /api/agents request, retrieving the full system prompts and instructions of every configured agent - leaking proprietary logic and any embedded context. The attacker then issues POST /api/chat calls to drive the agents directly, consuming API/LLM resources on the victim's account and potentially triggering agent tool actions. … |
| Remediation | Vendor-released patch: 1.7.3 - upgrade PraisonAI to 1.7.3 or later, which corrects the insecure defaults; see the advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6wjp-v33h-5cvq. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all PraisonAI deployments and assess network exposure; immediately implement firewall rules restricting access to known internal IPs or air-gap the service if possible. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Remote code execution in PraisonAI before 1.6.78 allows attackers to run arbitrary Python on the host by manipulating th
Root-level command execution and arbitrary file write in PraisonAI's AICoder component (all versions before 4.6.78) let
Path traversal in PraisonAI multi-agent teams system (versions prior to 4.5.128) enables arbitrary file overwrite throug
Remote code execution in PraisonAI before 4.6.78 lets an attacker who can supply the agents_file parameter to deploy/api
SQL/CQL injection in PraisonAI's PGVector and Cassandra knowledge-store backends before 4.6.78 allows a caller who contr
PraisonAI AgentOS prior to version 4.5.128 exposes agent metadata including names, roles, and system instruction snippet
Remote code execution in PraisonAI multi-agent framework (versions prior to 4.5.128) allows unauthenticated attackers to
Unauthenticated remote session hijacking in PraisonAI's browser bridge (versions <4.5.139) and praisonaiagents (<1.5.140
Webhook signature-verification bypass in PraisonAI before 4.6.78 lets unauthenticated attackers forge Svix 'message.rece
Authentication bypass in PraisonAI before 4.6.78 lets a remote, unauthenticated attacker reach the Call API agent-invoca
System prompt extraction and unauthorized tool invocation in PraisonAI before 4.6.78 arise because the prompt-injection
Security-policy bypass in PraisonAI before 4.6.78 renders the default Subprocess Sandbox backend inert, so administrator
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43176
GHSA-g3pq-3vvx-36w6