PraisonAI Agent Access (CVE-2026-34952)

Overview

A critical security vulnerability, CVE-2026-34952, has been identified in the PraisonAI multi-agent teams system. The flaw resides in the PraisonAI Gateway server, which handles communication between AI agents. Prior to version 4.5.97, the server exposed two key endpoints without any form of authentication, allowing complete unauthorized access.

Vulnerability Details

The PraisonAI Gateway server incorrectly accepted WebSocket connections at the /ws endpoint and served detailed agent topology information at the /info endpoint without requiring authentication. This design flaw meant any client on the network could connect to these endpoints. Once connected, an attacker could perform two primary actions: first, list all registered AI agents and their configurations via /info, and second, send arbitrary messages directly to those agents and their underlying tool sets via the WebSocket connection at /ws.

Impact

The impact of this vulnerability is severe. With no authentication required and no user interaction needed, an attacker can fully interact with the AI agent ecosystem. This allows for enumeration of the system’s capabilities and, more critically, the ability to invoke agent tools with malicious data. Depending on the tools available to the agents-which could include code execution, data access, or external API calls-this could lead to data theft, system compromise, or further network penetration. The high CVSS score of 9.1 reflects the ease of exploitation and the significant potential for damage.

Remediation and Mitigation

The primary and mandatory action is to immediately upgrade the PraisonAI installation to version 4.5.97 or later, where this issue has been patched.

If immediate patching is not possible, consider these temporary mitigation steps:

• Network Segmentation: Isolate the PraisonAI Gateway server from untrusted networks, especially the internet. Restrict access to its ports (typically 8000 or similar) using firewall rules to only allow connections from strictly necessary, trusted IP addresses.
• Monitor for Unauthorized Access: Review server logs for connections to the /ws and /info paths from unexpected source IP addresses. Any such activity should be treated as a potential security incident.

Organizations using AI agent frameworks should treat them with the same security rigor as any other networked service, ensuring authentication and authorization are enabled by default. The rush to adopt AI SOC agents must not outpace foundational security configuration.

Security Insight

This vulnerability exemplifies the “default-insecure” posture common in rapidly developed tools for emerging tech like AI agent orchestration, where functionality is prioritized over security. It mirrors historical incidents in early IoT and cloud services, where management interfaces were left openly accessible. As hackers adopt AI-powered tools, such exposed control planes become high-value targets for automating attacks at scale.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs