CVE-2026-40151 - Vulnerability Details

- PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=["*"] with host="0.0.0.0", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.

Published: 2026-04-09

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

PraisonAI, a multi‑agent system, allows an unauthenticated caller to request the /api/agents endpoint. The response includes agent names, roles, and the first 100 characters of each agent’s system instructions, leaking potentially sensitive operational data. This confidentiality breach is identified as CWE‑200.

Affected Systems

The vulnerability exists in MervinPraison PraisonAI versions earlier than 4.5.128. Deployments using the AgentOS FastAPI application with no authentication middleware, no API key validation, and the default CORS allow_origins="*" with host="0.0.0.0" are affected because every deployment is network‑accessible and queryable from any origin by default.

Risk and Exploitability

The CVSS score of 5.3 indicates medium severity, and there is no EPSS data or KEV listing. The attack requires only unauthenticated network access to the AgentOS host. The impact is a compromise of confidentiality, exposing agent instructions to anyone who can reach the exposed endpoint.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MervinPraison

PraisonAI

affected

Version	Status	Constraints
`< 4.5.128`	affected	—

Configuration 1 [-]

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mervinpraison

Praisonai

100%

Version	Status	Scheme	Platform
`[0,4.5.128)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update PraisonAI to version 4.5.128 or newer, which contains the fix
Restrict network exposure of AgentOS by applying firewall rules, isolating the service behind a VPN, or otherwise limiting access to trusted hosts
Configure the application to disable the default CORS allow_origins="*" setting or restrict it to known, trusted domains

Generated by OpenCVE AI on April 9, 2026 at 23:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-pm96-6xpr-978x	PraisonAI: Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0004.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x

History

Mon, 20 Apr 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Praison Praison praisonai
CPEs		cpe:2.3:a:praison:praisonai::::::::
Vendors & Products		Praison Praison praisonai

Fri, 10 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mervinpraison Mervinpraison praisonai
Vendors & Products		Mervinpraison Mervinpraison praisonai

Thu, 09 Apr 2026 21:45:00 +0000

Type	Values Removed	Values Added
Description		PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=["*"] with host="0.0.0.0", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128.
Title		PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS
Weaknesses		CWE-200
References		https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Mervinpraison Praisonai

Praison Praisonai

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-09T21:29:47.415Z

Updated: 2026-04-10T17:10:27.256Z

Reserved: 2026-04-09T19:31:56.013Z

Link: CVE-2026-40151

Vulnrichment

Updated: 2026-04-10T17:10:20.667Z

NVD

Status : Analyzed

Published: 2026-04-09T22:16:36.047

Modified: 2026-04-20T18:33:18.457

Link: CVE-2026-40151

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:28:02Z

Weaknesses

CWE-200

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object