Cyber Resilience

CVE-2026-40149

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score v3.1 7.9 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N
EPSS Score 0.0023 13.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40149 is a high-severity Declaration of Catch for Generic Exception (CWE-396) vulnerability in Praison Praisonai. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 13.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-40149 is a vulnerability in PraisonAI, a multi-agent teams system, affecting versions prior to 4.5.128. The issue lies in the gateway's /api/approval/allow-list endpoint, which permits unauthenticated modification of the tool approval allowlist when no auth_token is configured, which is the default setting. This CWE-396 flaw enables attackers to add dangerous tool names, such as shell_exec or file_write, to the allowlist, causing the ExecApprovalManager to auto-approve future agent invocations of those tools and bypassing the human-in-the-loop safety mechanism. The vulnerability has a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N).

A local attacker with no privileges required can exploit this low-complexity vulnerability without user interaction. By sending an unauthenticated request to the endpoint, the attacker modifies the allowlist to include high-risk tools, enabling subsequent agent executions to run those tools automatically without human approval. This grants the attacker high integrity impact, such as arbitrary file writes or shell command execution via agents, along with low confidentiality impact in a changed scope.

The GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh details the fix in PraisonAI version 4.5.128, which addresses the unauthenticated modification issue. Security practitioners should upgrade to 4.5.128 or later and configure an auth_token on the gateway endpoint to mitigate exploitation.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an…

more

attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1685 Disable or Modify Tools Defense Impairment
Adversaries may disable, degrade, or tamper with security tools or applications (e.
Why these techniques?

Vulnerability allows unauthenticated modification of tool approval allowlist to include shell_exec (enabling Unix Shell execution without human approval) and bypasses safety mechanism (impairing defenses by modifying tool approval controls).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34955Same product: Praison Praisonai
CVE-2026-40156Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-40114Same product: Praison Praisonai
CVE-2026-39308Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-34939Same product: Praison Praisonai
CVE-2026-39305Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.128

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly limits and controls permitted actions without identification or authentication, preventing unauthenticated modifications to the /api/approval/allow-list endpoint.

prevent

Enforces approved authorizations for logical access, blocking unauthenticated changes to the tool approval allowlist.

prevent

Implements least privilege to ensure modification of critical allowlists like tool approvals requires authentication and minimal necessary access.

References