Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.
Published: 2026-04-09
Score: 7.9 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

An unauthenticated modification of the gateway's /api/approval/allow-list endpoint allows an attacker to add dangerous tool names such as shell_exec or file_write to the allowlist. Once those names are auto‑approved, the agent can invoke them without human review, effectively bypassing the safety controls meant to prevent malicious activity. This results in the ability to execute arbitrary code or write files, compromising confidentiality, integrity, and availability of the system.

Affected Systems

The vulnerability applies to MervinPraison PraisonAI versions prior to 4.5.128. The affected component is the gateway service that manages the tool approval allowlist.

Risk and Exploitability

The CVSS score of 7.9 indicates a high severity. Exploitation is possible via unauthenticated HTTP requests to the /api/approval/allow-list endpoint; therefore the attack vector is likely network‑based web API access. The EPSS score is not provided, and the vulnerability is not listed in CISA’s KEV catalog, but the high CVSS and completeness of the attack path suggest that attackers may find this asset appealing, especially in environments where the gateway is exposed.

Generated by OpenCVE AI on April 9, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to PraisonAI version 4.5.128 or later
  • If a patch is unavailable, remove or disable the unauthenticated /api/approval/allow-list endpoint from the gateway configuration
  • Restrict access to the gateway API to authorized users only, for example by placing it behind a VPN or firewall
  • Monitor the allowlist for unauthorized changes and set up alerts to detect when dangerous tool names are added

Generated by OpenCVE AI on April 9, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4wr3-f4p3-5wjh PraisonAI: Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
History

Mon, 20 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Mon, 13 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 10 Apr 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Thu, 09 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.
Title PraisonAI has an Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls
Weaknesses CWE-396
References
Metrics cvssV3_1

{'score': 7.9, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:37:53.846Z

Reserved: 2026-04-09T19:31:56.013Z

Link: CVE-2026-40149

cve-icon Vulnrichment

Updated: 2026-04-13T15:27:02.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-09T22:16:35.750

Modified: 2026-04-20T19:53:38.610

Link: CVE-2026-40149

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:28:51Z

Weaknesses