Cyber Resilience

CVE-2026-34952

CriticalPublic PoC

Published: 03 April 2026

Published
03 April 2026
Modified
09 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0044 35.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-34952 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Praison Praisonai. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-34952 is a missing authentication vulnerability (CWE-306) in the PraisonAI Gateway server, part of the PraisonAI multi-agent teams system. In versions prior to 4.5.97, the server accepts WebSocket connections at the /ws endpoint and exposes agent topology information at the /info endpoint without any authentication requirements. This allows unauthorized access to sensitive system details and interaction capabilities, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).

Any network client with connectivity to the PraisonAI Gateway server can exploit this vulnerability without privileges or user interaction. Attackers can establish WebSocket connections, enumerate all registered agents, and send arbitrary messages directly to those agents and their associated tool sets, potentially leading to unauthorized data disclosure, manipulation of agent behaviors, or execution of unintended actions within the multi-agent environment.

The vulnerability has been addressed in PraisonAI version 4.5.97, which introduces the necessary authentication controls. Additional details on the patch and remediation steps are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages…

more

to agents and their tool sets. This issue has been patched in version 4.5.97.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Missing authentication on the publicly accessible PraisonAI Gateway server (/ws and /info endpoints) directly enables initial access by exploiting a public-facing application as per T1190.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-44338Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-40289Same product: Praison Praisonai
CVE-2026-39308Same product: Praison Praisonai
CVE-2026-44334Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai
CVE-2026-34953Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.97

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly specifies and restricts actions permitted without identification or authentication, preventing unauthorized WebSocket connections, agent enumeration, and message sending.

prevent

Requires unique identification and authentication for non-organizational service users, blocking unauthenticated access to the gateway's WebSocket and /info endpoints.

prevent

Enforces approved access control policies for logical access, ensuring authentication is required before allowing connections or information disclosure via exposed endpoints.

References