{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40151", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.013Z", "datePublished": "2026-04-09T21:29:47.415Z", "dateUpdated": "2026-04-10T17:10:27.256Z"}, "containers": {"cna": {"title": "PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:29:47.415Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=[\"*\"] with host=\"0.0.0.0\", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128."}], "source": {"advisory": "GHSA-pm96-6xpr-978x", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T17:10:14.066675Z", "id": "CVE-2026-40151", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:10:27.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40151", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T17:10:14.066675Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T17:10:20.667Z"}}], "cna": {"title": "PraisonAI Affected by Unauthenticated Information Disclosure of Agent Instructions via /api/agents in AgentOS", "source": {"advisory": "GHSA-pm96-6xpr-978x", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.128"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=[\"*\"] with host=\"0.0.0.0\", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:29:47.415Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40151", "state": "PUBLISHED", "dateUpdated": "2026-04-10T17:10:27.256Z", "dateReserved": "2026-04-09T19:31:56.013Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:29:47.415Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1", "versionEndExcluding": "4.5.128", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the AgentOS deployment platform exposes a GET /api/agents endpoint that returns agent names, roles, and the first 100 characters of agent system instructions to any unauthenticated caller. The AgentOS FastAPI application has no authentication middleware, no API key validation, and defaults to CORS allow_origins=[\"*\"] with host=\"0.0.0.0\", making every deployment network-accessible and queryable from any origin by default. This vulnerability is fixed in 4.5.128."}], "id": "CVE-2026-40151", "lastModified": "2026-04-20T18:33:18.457", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:36.047", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-pm96-6xpr-978x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T23:05:23.957172+00:00", "value": {"mitigation_remediation": ["Update PraisonAI to version 4.5.128 or newer, which contains the fix", "Restrict network exposure of AgentOS by applying firewall rules, isolating the service behind a VPN, or otherwise limiting access to trusted hosts", "Configure the application to disable the default CORS allow_origins=\"*\" setting or restrict it to known, trusted domains"], "summary": {"action": "Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in MervinPraison PraisonAI versions earlier than 4.5.128. Deployments using the AgentOS FastAPI application with no authentication middleware, no API key validation, and the default CORS allow_origins=\"*\" with host=\"0.0.0.0\" are affected because every deployment is network\u2011accessible and queryable from any origin by default.", "description_and_impact": "PraisonAI, a multi\u2011agent system, allows an unauthenticated caller to request the /api/agents endpoint. The response includes agent names, roles, and the first 100 characters of each agent\u2019s system instructions, leaking potentially sensitive operational data. This confidentiality breach is identified as CWE\u2011200.", "risk_and_exploitability": "The CVSS score of 5.3 indicates medium severity, and there is no EPSS data or KEV listing. The attack requires only unauthenticated network access to the AgentOS host. The impact is a compromise of confidentiality, exposing agent instructions to anyone who can reach the exposed endpoint."}}}}, "created": "2026-04-10T08:37:05.196472+00:00", "updated": "2026-04-10T09:28:02.938651+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}