CVE-2026-34952
Published: 03 April 2026
Summary
CVE-2026-34952 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Praison Praisonai. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly specifies and restricts actions permitted without identification or authentication, preventing unauthorized WebSocket connections, agent enumeration, and message sending.
Requires unique identification and authentication for non-organizational service users, blocking unauthenticated access to the gateway's WebSocket and /info endpoints.
Enforces approved access control policies for logical access, ensuring authentication is required before allowing connections or information disclosure via exposed endpoints.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication on the publicly accessible PraisonAI Gateway server (/ws and /info endpoints) directly enables initial access by exploiting a public-facing application as per T1190.
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any network client can connect, enumerate registered agents, and send arbitrary messages…
more
to agents and their tool sets. This issue has been patched in version 4.5.97.
Deeper analysisAI
CVE-2026-34952 is a missing authentication vulnerability (CWE-306) in the PraisonAI Gateway server, part of the PraisonAI multi-agent teams system. In versions prior to 4.5.97, the server accepts WebSocket connections at the /ws endpoint and exposes agent topology information at the /info endpoint without any authentication requirements. This allows unauthorized access to sensitive system details and interaction capabilities, earning a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N).
Any network client with connectivity to the PraisonAI Gateway server can exploit this vulnerability without privileges or user interaction. Attackers can establish WebSocket connections, enumerate all registered agents, and send arbitrary messages directly to those agents and their associated tool sets, potentially leading to unauthorized data disclosure, manipulation of agent behaviors, or execution of unintended actions within the multi-agent environment.
The vulnerability has been addressed in PraisonAI version 4.5.97, which introduces the necessary authentication controls. Additional details on the patch and remediation steps are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-cfh6-vr3j-qc3g.
Details
- CWE(s)