Cyber Posture

CVE-2026-40289

CriticalPublic PoC

Published: 14 April 2026

Published
14 April 2026
Modified
20 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0005 15.4th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40289 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Praison Praisonai. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 15.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-17 (Remote Access) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-17 Remote Access good match
prevent

Establishes authentication and usage restrictions for remote access mechanisms like the vulnerable WebSocket endpoint, directly preventing unauthenticated session hijacking.

AC-3 Access Enforcement good match
prevent

Enforces approved access authorizations requiring authentication on the /ws endpoint, blocking unauthorized connections and session routing to idle browsers.

SC-7 Boundary Protection good match
prevent

Monitors and controls communications at network boundaries to block external access to the 0.0.0.0-bound browser bridge server.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1185 Browser Session Hijacking Collection
Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.
attack.mitre.org →
Why these techniques?

Missing authentication and bypassable origin check on exposed WebSocket (/ws) directly enables T1190 (Exploit Public-Facing Application) for unauthenticated network access; routing start_session to hijack browser-extension WebSocket sessions facilitates T1185 (Browser Session Hijacking) with remote control and data leakage.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its…

more

/ws WebSocket endpoint. The server binds to 0.0.0.0 by default and only validates the Origin header when one is present, meaning any non-browser client that omits the header is accepted without restriction. An unauthenticated network attacker can connect, send a start_session message, and the server will route it to the first idle browser-extension WebSocket (effectively hijacking that session) and then broadcast all resulting automation actions and outputs back to the attacker. This enables unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in any environment where the bridge is network-reachable. This issue has been fixed in versions 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents.

Deeper analysisAI

CVE-2026-40289 is a high-severity vulnerability (CVSS 3.1 score of 9.1) affecting the browser bridge component in PraisonAI versions below 4.5.139 and praisonaiagents versions below 1.5.140. PraisonAI is a multi-agent teams system that exposes a WebSocket endpoint (/ws) via the "praisonai browser start" server, which binds to 0.0.0.0 by default. The flaw stems from missing authentication (CWE-306) and a bypassable origin check, where the server only validates the Origin header if it is present in the request.

An unauthenticated network attacker can exploit this by connecting to the /ws endpoint from any non-browser client that omits the Origin header, bypassing restrictions entirely. The attacker sends a "start_session" message, which the server routes to the first idle browser-extension WebSocket, hijacking the session. This grants remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions in environments where the bridge is network-reachable.

The GitHub Security Advisory (GHSA-8x8f-54wf-vv92) confirms the issue has been addressed in PraisonAI 4.5.139 and praisonaiagents 1.5.140, recommending immediate upgrades to mitigate the risk. No workarounds are detailed beyond patching, emphasizing network restrictions if the bridge must remain exposed.

This vulnerability is particularly relevant in AI/ML workflows involving PraisonAI's multi-agent browser automation, as exploitation could enable unauthorized interference with model-driven actions. No public reports of real-world exploitation exist as of the CVE publication on 2026-04-14.

Details

CWE(s)
CWE-306

Affected Products

praison
praisonai
≤ 4.5.139
praison
praisonaiagents
≤ 1.5.140

CVEs Like This One

CVE-2026-34952Same product: Praison Praisonai
CVE-2026-40288Same product: Praison Praisonai
CVE-2026-44339Same product: Praison Praisonai
CVE-2026-40287Same product: Praison Praisonai
CVE-2026-41496Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai

References