PT-2026-57434 · Praisonai · Praisonai
Dinhvaren
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-61426
CVSS v3.1
8.6
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
PraisonAI versions prior to 1.7.3
Description
The software has an insecure default configuration that binds to all network interfaces, lacks API key requirements, and uses wildcard CORS (Cross-Origin Resource Sharing), which allows resources to be requested from any domain. Unauthenticated attackers can access the 'GET /api/agents' endpoint to read agent instructions and system prompts, or use the 'POST /api/chat' endpoint to invoke agents.
Recommendations
Update PraisonAI to version 1.7.3 or later.
Fix
Information Disclosure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Praisonai