Insecure API Configuration in PraisonAI Leading to Unauthenticated Access
CVE-2026-61426

8.8HIGH

Key Information:

Status
Vendor
CVE Published:
11 July 2026

What is CVE-2026-61426?

PraisonAI versions prior to 1.7.3 suffer from an insecure default configuration that exposes critical API endpoints to unauthenticated users. The application improperly binds to all interfaces, creates a wildcard CORS policy, and does not require an API key for accessing sensitive resources. Attackers can exploit these vulnerabilities to make unauthorized GET requests to /api/agents, gaining access to internal agent instructions and system prompts, or issue POST requests to /api/chat to manipulate agent functions, posing a significant risk to the security and integrity of the application.

Affected Version(s)

PraisonAI 0 < 1.7.3

PraisonAI 1.7.3

References

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dinhvaren
.