CVE-2026-40115

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI is a multi-agent teams system. The WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header without any limit. With authentication disabled by default, any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (serve.py) has RequestSizeLimitMiddleware with a 10MB limit, but the WSGI server lacks equivalent protection.

Recommendations Update to version 4.5.128 or later.