Cyber Posture

CVE-2026-40116

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0010 27.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40116 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Praison Praisonai. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as APIs and Models.

The strongest mitigations our analysis identified are NIST 800-53 AC-10 (Concurrent Session Control) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-5 Denial-of-service Protection good match
prevent

SC-5 Denial-of-service Protection directly mitigates resource exhaustion by requiring limits on connections, message rates, and sizes for the unauthenticated WebSocket endpoint.

AC-10 Concurrent Session Control good match
prevent

AC-10 Concurrent Session Control limits the number of simultaneous WebSocket connections to prevent server resource depletion from multiple unauthenticated sessions.

AC-3 Access Enforcement good match
prevent

AC-3 Access Enforcement requires authentication and validation for the /media-stream endpoint, blocking unauthenticated connections that proxy to OpenAI's API.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1496.004 Cloud Service Hijacking Impact
Adversaries may leverage compromised software-as-a-service (SaaS) applications to complete resource-intensive tasks, which may impact hosted service availability.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Unauthenticated public WebSocket endpoint without rate limits directly enables T1190 (exploit public-facing app) to achieve T1499.004 (application exploitation for DoS via resource exhaustion) and T1496.004 (cloud service hijacking via proxying to drain OpenAI credits).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the…

more

server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.

Deeper analysisAI

CVE-2026-40116 affects PraisonAI, a multi-agent teams system, specifically the /media-stream WebSocket endpoint in its call module prior to version 4.5.128. The vulnerability stems from the endpoint accepting connections from any client without authentication or Twilio signature validation. Each such connection establishes an authenticated session to OpenAI's Realtime API using the server's API key, with no restrictions on concurrent connections, message rates, or message sizes. This enables resource exhaustion on the server and depletion of the victim's OpenAI API credits, rated at CVSS 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and mapped to CWE-770 (Allocation of Resources Without Limits or Throttling).

An unauthenticated attacker can exploit this remotely with low complexity by simply connecting to the exposed /media-stream WebSocket endpoint on a vulnerable PraisonAI instance. By opening multiple connections and sending unbounded messages, the attacker consumes excessive server resources, potentially causing denial of service through CPU, memory, or bandwidth exhaustion. Additionally, the attack drains the server's OpenAI API credits by proxying traffic through the victim's authenticated sessions to the Realtime API.

The GitHub Security Advisory (GHSA-q5r4-47m9-5mc7) confirms the issue is resolved in PraisonAI version 4.5.128, which introduces necessary authentication and validation controls. Security practitioners should upgrade to 4.5.128 or later and review server configurations for exposed endpoints.

This vulnerability highlights risks in AI/ML systems integrating third-party APIs like OpenAI's Realtime API, where lack of throttling can lead to economic denial-of-service attacks.

Details

CWE(s)
CWE-770

Affected Products

praison
praisonai
≤ 4.5.128

AI Security AnalysisAI

AI Category
APIs and Models
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: openai, openai

CVEs Like This One

CVE-2026-40115Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-34953Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-39888Same product: Praison Praisonai
CVE-2026-39308Same product: Praison Praisonai

References