Insecure API Configuration in PraisonAI Leading to Unauthenticated Access
CVE-2026-61426
8.8HIGH
What is CVE-2026-61426?
PraisonAI versions prior to 1.7.3 suffer from an insecure default configuration that exposes critical API endpoints to unauthenticated users. The application improperly binds to all interfaces, creates a wildcard CORS policy, and does not require an API key for accessing sensitive resources. Attackers can exploit these vulnerabilities to make unauthorized GET requests to /api/agents, gaining access to internal agent instructions and system prompts, or issue POST requests to /api/chat to manipulate agent functions, posing a significant risk to the security and integrity of the application.
Affected Version(s)
PraisonAI 0 < 1.7.3
PraisonAI 1.7.3
