Plataforma
python
Componente
praisonai
Corrigido em
4.5.129
4.5.128
CVE-2026-40151 describes an Information Disclosure vulnerability within the praisonai AgentOS deployment platform. This flaw allows unauthenticated attackers to access sensitive information, including agent names, roles, and the initial portion of agent system instructions. The vulnerability impacts versions of praisonai up to 4.5.98, and a fix is available in version 4.5.128.
The primary impact of CVE-2026-40151 is the exposure of sensitive agent data. An attacker could leverage this information to gain insights into the deployed agents' roles and functionalities, potentially aiding in reconnaissance for further attacks. While the initial system instructions are truncated to 100 characters, this partial exposure can still reveal valuable clues about the agents' intended behavior and configuration. The lack of authentication and the permissive CORS settings (allowing all origins) significantly broaden the attack surface, making exploitation straightforward from any network location. This vulnerability resembles scenarios where internal system details are inadvertently exposed via misconfigured APIs, potentially leading to privilege escalation or data breaches.
CVE-2026-40151 was published on 2026-04-10. Its severity is currently assessed as Medium. There are no known public exploits or active campaigns targeting this vulnerability at the time of writing. The vulnerability is not listed on KEV or EPSS. Monitor security advisories and threat intelligence feeds for any updates regarding exploitation attempts.
Status do Exploit
EPSS
0.04% (percentil 12%)
CISA SSVC
Vetor CVSS
The recommended mitigation for CVE-2026-40151 is to immediately upgrade praisonai to version 4.5.128 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds. Restrict network access to the AgentOS deployment platform using firewalls or network segmentation to limit exposure. Implement API authentication middleware to require valid credentials for accessing the /api/agents endpoint. Configure CORS to restrict allowed origins to trusted domains only. While not a direct fix, these steps can reduce the attack surface and limit the potential impact of the vulnerability.
Actualice PraisonAI a la versión 4.5.128 o superior para mitigar la divulgación de información no autenticada. Esta versión corrige la vulnerabilidad al implementar la autenticación adecuada y la validación de API keys, así como al restringir el acceso CORS.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-40151 is an Information Disclosure vulnerability affecting praisonai versions up to 4.5.98. It allows unauthenticated attackers to retrieve agent names, roles, and parts of system instructions via the /api/agents endpoint.
You are affected if you are running praisonai version 4.5.98 or earlier. Check your version using /opt/praisonai/bin/praisonai --version.
Upgrade praisonai to version 4.5.128 or later. As a temporary workaround, restrict network access and implement API authentication.
There are currently no known public exploits or active campaigns targeting CVE-2026-40151, but continuous monitoring is recommended.
Refer to the praisonai security advisories page for the latest information and official guidance regarding CVE-2026-40151.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.