Description
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Published: 2026-04-14
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized remote control & data leakage via WebSocket hijacking
Action: Immediate Patch
AI Analysis

Impact

PraisonAI’s browser bridge (praisonai browser start) has an authentication bypass on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and accepts any client that omits an Origin header; no authentication is required. An attacker can connect, send a start_session message, and the server will route the request to the first idle browser‑extension WebSocket, effectively hijacking that session. This allows the attacker to control a connected browser automation session, view or modify page content, and capture automation output, leading to unauthorized remote control and leakage of sensitive data.

Affected Systems

The vulnerability affects the PraisonAI platform and praisonaiagents. Versions prior to 4.5.139 of PraisonAI and prior to 1.5.140 of praisonaiagents are vulnerable. Later versions contain a fix.

Risk and Exploitability

The CVSS score is 9.1, indicating a critical severity. Explicit EPSS data is unavailable, and it is not listed in CISA’s KEV catalog. The vulnerability can be exploited by any network attacker who can reach the WebSocket endpoint; no credentials or special privileges are required. The attack path is straightforward: open a WebSocket connection to /ws, send start_session, and assume control. Because the service listens on all interfaces, threat exposure is high, especially in environments where the bridge is publicly reachable.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later.
  • If an upgrade is not yet possible, limit exposure of the /ws endpoint by binding the server to localhost or a secure internal interface.
  • Use a firewall or network access control to block external connections to the WebSocket port.
  • Validate the Origin header in incoming WebSocket requests or enforce authentication before routing to browser extensions.
  • Monitor for unauthorized WebSocket connections and report any suspicious activity.

Generated by OpenCVE AI on April 14, 2026 at 05:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x8f-54wf-vv92 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
History

Mon, 20 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*
Vendors & Products Praison
Praison praisonai
Praison praisonaiagents

Tue, 14 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 14 Apr 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonai
Mervinpraison praisonaiagents

Tue, 14 Apr 2026 04:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.
Title PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Mervinpraison Praisonai Praisonaiagents
Praison Praisonai Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-14T20:18:37.319Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40289

cve-icon Vulnrichment

Updated: 2026-04-14T20:18:33.318Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-14T04:17:12.710

Modified: 2026-04-20T17:46:45.700

Link: CVE-2026-40289

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:30:54Z

Weaknesses