Description
PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.
Published: 2026-06-18
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

PraisonAI versions before 1.5.128 expose a cross‑origin agent execution flaw. The AGUI endpoint does not require authentication and unconditionally sends an Access‑Control‑Allow‑Origin: * header. Combined with Starlette’s lenient JSON parsing, an attacker can send a POST request to /agui, bypass CORS policy checks, and cause the server to execute arbitrary agent commands, yielding the results of those commands and sensitive environment information. The weakness maps to CWE‑942, reflecting a lack of proper authentication control for remote code execution.

Affected Systems

The vulnerability affects PraisonAI by the vendor PraisonAI, specifically all releases before version 1.5.128. Hosts running these affected versions, regardless of platform, are susceptible unless mitigated.

Risk and Exploitability

The CVSS score of 8.6 indicates high severity, and while an EPSS score is not reported, the absence of a KEV listing does not reduce the risk because the flaw allows remote attackers to trigger arbitrary code execution without authentication. The attack can be performed by any external party over the network, requiring only the ability to send crafted HTTP POST requests to the AGUI endpoint. An attacker could therefore gain full control over the agent service, potentially leading to larger system compromise.

Generated by OpenCVE AI on June 19, 2026 at 00:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAI to version 1.5.128 or later, which removes the unauthenticated AGUI endpoint.
  • Implement authentication mechanisms (e.g., token or session validation) on the AGUI endpoint to prevent unauthorized access.
  • Modify the Access‑Control‑Allow‑Origin header to specify only trusted domains instead of a wildcard.
  • Configure Starlette’s JSON parser to enforce correct Content‑Type handling and reject malformed requests.

Generated by OpenCVE AI on June 19, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Description PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.
Title PraisonAI - Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
First Time appeared Praison
Praison praisonai
Weaknesses CWE-942
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Praison Praisonai
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-18T22:12:24.090Z

Reserved: 2026-06-18T15:57:20.434Z

Link: CVE-2026-56076

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T01:00:14Z

Weaknesses
  • CWE-942

    Permissive Cross-domain Security Policy with Untrusted Domains