CVE-2026-40151

Exploit

EPSS 0.76%
Veröffentlicht 09.04.2026 22:16:36
Zuletzt bearbeitet 20.04.2026 18:33:18
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=["*"] with host="0.0.0.0", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Praison ≫ Praisonai Version < 4.5.128

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.76%	0.504

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	5.3	3.9	1.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-40151

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-40151

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-40151

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-40151