{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40289", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-10T20:22:44.035Z", "datePublished": "2026-04-14T03:05:05.514Z", "dateUpdated": "2026-04-14T20:18:37.319Z"}, "containers": {"cna": {"title": "PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.139", "status": "affected"}]}, {"vendor": "MervinPraison", "product": "praisonaiagents", "versions": [{"version": "< 1.5.140", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T03:05:05.514Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents."}], "source": {"advisory": "GHSA-8x8f-54wf-vv92", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T20:18:27.623888Z", "id": "CVE-2026-40289", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T20:18:37.319Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40289", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-14T20:18:27.623888Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T20:18:33.318Z"}}], "cna": {"title": "PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions", "source": {"advisory": "GHSA-8x8f-54wf-vv92", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.139"}]}, {"vendor": "MervinPraison", "product": "praisonaiagents", "versions": [{"status": "affected", "version": "< 1.5.140"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-14T03:05:05.514Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40289", "state": "PUBLISHED", "dateUpdated": "2026-04-14T20:18:37.319Z", "dateReserved": "2026-04-10T20:22:44.035Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-14T03:05:05.514Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "E5F6A0D4-AFE6-4DDA-A1C0-E74C7DD46E00", "versionEndExcluding": "4.5.139", "vulnerable": true}, {"criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:python:*:*", "matchCriteriaId": "37CF4D9C-AD55-414A-9BF2-49A51F03A682", "versionEndExcluding": "1.5.140", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents."}], "id": "CVE-2026-40289", "lastModified": "2026-04-20T17:46:45.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-14T04:17:12.710", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.139)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.5.140)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "praisonaiagents", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonaiagents", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-14T05:21:50.261981+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later.", "If an upgrade is not yet possible, limit exposure of the /ws endpoint by binding the server to localhost or a secure internal interface.", "Use a firewall or network access control to block external connections to the WebSocket port.", "Validate the Origin header in incoming WebSocket requests or enforce authentication before routing to browser extensions.", "Monitor for unauthorized WebSocket connections and report any suspicious activity."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized remote control & data leakage via WebSocket hijacking"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the PraisonAI platform and praisonaiagents. Versions prior to 4.5.139 of PraisonAI and prior to 1.5.140 of praisonaiagents are vulnerable. Later versions contain a fix.", "description_and_impact": "PraisonAI\u2019s browser bridge (praisonai browser start) has an authentication bypass on its /ws WebSocket endpoint. The server binds to 0.0.0.0 by default and accepts any client that omits an Origin header; no authentication is required. An attacker can connect, send a start_session message, and the server will route the request to the first idle browser\u2011extension WebSocket, effectively hijacking that session. This allows the attacker to control a connected browser automation session, view or modify page content, and capture automation output, leading to unauthorized remote control and leakage of sensitive data.", "risk_and_exploitability": "The CVSS score is 9.1, indicating a critical severity. Explicit EPSS data is unavailable, and it is not listed in CISA\u2019s KEV catalog. The vulnerability can be exploited by any network attacker who can reach the WebSocket endpoint; no credentials or special privileges are required. The attack path is straightforward: open a WebSocket connection to /ws, send start_session, and assume control. Because the service listens on all interfaces, threat exposure is high, especially in environments where the bridge is publicly reachable."}}}}, "created": "2026-04-14T16:15:57.945419+00:00", "updated": "2026-04-14T16:30:54.568127+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai", "mervinpraison$PRODUCT$praisonaiagents"]}