Denial of Service in PraisonAI Multi-Agent Teams System by Mervin Praison
CVE-2026-40115

6.2MEDIUM

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 9 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-40115?

In the PraisonAI multi-agent teams system, prior to version 4.5.128, the WSGI-based recipe registry server (server.py) is susceptible to memory exhaustion due to the reading of the entire HTTP request body into memory. This process is linked to a client-supplied Content-Length header and occurs without an upper limit. Compounding this issue, authentication is disabled by default, allowing any local process to send excessively large POST requests, resulting in denial of service. Although the Starlette-based server (serve.py) mitigates this with a 10MB RequestSizeLimitMiddleware, the WSGI server lacks such protection. This vulnerability was addressed in version 4.5.128.

Affected Version(s)

PraisonAI < 4.5.128

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.2

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40115 Data

JSON