CVE-2026-40149
Published: 09 April 2026
Summary
CVE-2026-40149 is a high-severity Declaration of Catch for Generic Exception (CWE-396) vulnerability in Praison Praisonai. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 2.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly limits and controls permitted actions without identification or authentication, preventing unauthenticated modifications to the /api/approval/allow-list endpoint.
Enforces approved authorizations for logical access, blocking unauthenticated changes to the tool approval allowlist.
Implements least privilege to ensure modification of critical allowlists like tool approvals requires authentication and minimal necessary access.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability allows unauthenticated modification of tool approval allowlist to include shell_exec (enabling Unix Shell execution without human approval) and bypasses safety mechanism (impairing defenses by modifying tool approval controls).
NVD Description
PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an…
more
attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.
Deeper analysisAI
CVE-2026-40149 is a vulnerability in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.128. The issue lies in the gateway's /api/approval/allow-list endpoint, which permits unauthenticated modification of the tool approval allowlist when no auth_token is configured, which is the default setting. This CWE-396 flaw enables attackers to add dangerous tool names, such as shell_exec or file_write, to the allowlist, causing the ExecApprovalManager to auto-approve future agent invocations of those tools and bypassing the human-in-the-loop safety mechanism. The vulnerability has a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N).
A local attacker with no privileges required can exploit this low-complexity vulnerability without user interaction. By sending an unauthenticated request to the endpoint, the attacker modifies the allowlist to include high-risk tools, enabling subsequent agent executions to run those tools automatically without human approval. This grants the attacker high integrity impact, such as arbitrary file writes or shell command execution via agents, along with low confidentiality impact in a changed scope.
The GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh details the fix in PraisonAI version 4.5.128, which addresses the unauthenticated modification issue. Security practitioners should upgrade to 4.5.128 or later and configure an auth_token on the gateway endpoint to mitigate exploitation.
Details
- CWE(s)