PraisonAI’s Gateway server prior to version 4.5.97 exposes a WebSocket endpoint at /ws and an information endpoint at /info without any form of authentication. This does not limit netw ork clients to performing only benign actions; they can enumerate registered agents and issue arbitrary messages to those agents and their tool sets. The missing authentication therefore allows an unauthenticated attacker to gain full control over the agents, potentially enabling the execution of arbitrary code or manipulation of the system’s behavior. The vulnerability’s nature aligns with CWE‑306, reflecting an authentication bypass that leads to unauthorized control, which justifies the high CVSS score of 9.1.

The affected product is PraisonAI from MervinPraison. The vulnerability applies to all releases prior to version 4.5.97. Updated versions beginning with 4.5.97 have the authentication controls added to the WebSocket and /info endpoints.

With a CVSS of 9.1 the vulnerability is classified as critical, yet the EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. The lack of listing in CISA’s KEV catalog indicates no known widespread exploitation. The attack vector is inferred to be remote, relying on any network client that can reach the Gateway’s WebSocket interface. Once connected, an attacker can arbitrarily talk to agents, potentially steering them to execute arbitrary commands or modify their tool sets. The risk is high for organizations running PraisonAI without updated versions and without network segmentation or authentication controls.