CVE-2026-39889
Published: 08 April 2026
Summary
CVE-2026-39889 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Praison Praisonai. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 5.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires identification, authorization, and monitoring of actions permitted without authentication, directly preventing exposure of sensitive A2U endpoints like /a2u/info without auth checks.
AC-3 enforces approved access authorizations, addressing the lack of authentication in the create_a2u_routes() function for agent activity endpoints.
SC-14 establishes protections for publicly accessible systems, mitigating unauthenticated network access (AV:N/PR:N) to the A2U event stream server.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability exposes multiple unauthenticated endpoints in a public-facing application, directly enabling exploitation of public-facing applications to retrieve sensitive agent activity data.
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.115, the A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. The create_a2u_routes() function registers the following endpoints with NO authentication checks: /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health.…
more
This vulnerability is fixed in 4.5.115.
Deeper analysisAI
CVE-2026-39889 is an information disclosure vulnerability in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.115. The issue stems from the A2U (Agent-to-User) event stream server, which exposes all agent activity without authentication. Specifically, the create_a2u_routes() function registers several endpoints—including /a2u/info, /a2u/subscribe, /a2u/events/{stream_name}, /a2u/events/sub/{id}, and /a2u/health—with no authentication checks, allowing unauthorized access to sensitive agent data. The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE-200.
Any unauthenticated attacker with network access can exploit this vulnerability with low complexity and no user interaction. By directly accessing the exposed endpoints, attackers can retrieve all agent activity, resulting in high-impact confidentiality loss without affecting integrity or availability.
The vulnerability is addressed in PraisonAI version 4.5.115, which introduces proper authentication for the A2U endpoints. Additional details on the issue and remediation are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf.
Details
- CWE(s)