CVE-2026-39889 - Vulnerability Details

- PraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U Server

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health. This vulnerability is fixed in 4.5.115.

Published: 2026-04-08

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PraisonAI’s Agent‑to‑User event stream server lacks authentication checks, allowing any user to subscribe to server‑sent events and view complete agent activity logs. This exposes private operational details, potential credentials, and internal communications. The vulnerability is a classic information‑disclosure flaw that can be exploited to learn sensitive system data without needing privileged access.

Affected Systems

The vulnerability applies to PraisonAI builds prior to version 4.5.115. Endpoints such as /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health are unprotected and may be accessed by anyone able to reach the A2U server. No other vendors or products are currently reported impacted.

Risk and Exploitability

The CVSS base score of 7.5 indicates moderate‑to‑high severity. Although the EPSS score is less than 1%, the lack of authentication means an attacker only needs network access to the server, and no additional conditions or privileges are required. The vulnerability is not listed in the CISA KEV catalog, suggesting no mass exploitation yet, but the exposure of full agent activity poses significant risk to confidentiality and operational integrity. Because the attack vector is remote HTTP, any exposed network surface could be used by threat actors.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`< 4.5.115`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mervinpraison

Praisonai

100%

Version	Status	Scheme	Platform
`[0,4.5.115)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest PraisonAI release (4.5.115 or newer) to remove the unauthenticated endpoints
If an upgrade cannot be performed immediately, restrict network access to the A2U server using firewall rules or VPN so that only authorized users can connect
Monitor logs for suspicious access to SSE streams after patching

Generated by OpenCVE AI on April 17, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-f292-66h9-fpmf	PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf

History

Wed, 15 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonai
Weaknesses		NVD-CWE-noinfo
CPEs		cpe:2.3:a:praison:praisonai::::::::
Vendors & Products		Praison Praison praisonai

Fri, 10 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 09 Apr 2026 08:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mervinpraison Mervinpraison praisonai
Vendors & Products		Mervinpraison Mervinpraison praisonai

Wed, 08 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health. This vulnerability is fixed in 4.5.115.
Title		PraisonAI has Unauthenticated SSE Event Stream Exposes All Agent Activity in A2U Server
Weaknesses		CWE-200
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Mervinpraison Praisonai

Praison Praisonai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-08T20:44:24.276Z

Updated: 2026-04-10T20:54:03.584Z

Reserved: 2026-04-07T20:32:03.011Z

Link: CVE-2026-39889

Vulnrichment

Updated: 2026-04-10T20:53:58.667Z

NVD

Status : Analyzed

Published: 2026-04-08T21:17:01.130

Modified: 2026-04-15T17:57:38.450

Link: CVE-2026-39889

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-17T09:30:14Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object