PraisonAI unauthenticated remote session hijacking (CVE-2026-40289)
CVE-2026-40289
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote ses...
Overview
A critical vulnerability in the PraisonAI browser bridge allows unauthenticated remote attackers to hijack active browser automation sessions. The flaw is due to insufficient authentication and a bypassable security check on a key network endpoint.
Vulnerability Details
The vulnerability, tracked as CVE-2026-40289, exists in the WebSocket endpoint (/ws) of the PraisonAI browser bridge (praisonai browser start). The server, which binds to all network interfaces (0.0.0.0) by default, only validates the HTTP Origin header if one is sent. Attackers can connect from any non-browser client that omits this header, completely bypassing the intended security check.
Once connected, an attacker can send a start_session message. The server will then route this command to the first idle browser-extension WebSocket connection, effectively handing over control of that user’s browser automation session to the attacker.
Impact
This flaw has a critical impact with a CVSS score of 9.1. An unauthenticated network-based attacker can achieve the following:
- Remote Session Hijacking: Take control of connected browser automation sessions without any user interaction.
- Sensitive Data Leakage: Receive all outputs and results from the hijacked automation, which could include private page content, form data, or credentials.
- Unauthorized Actions: Use the hijacked session to perform any model-backed browser actions, potentially leading to further system compromise or data manipulation.
Any instance where the PraisonAI browser bridge is exposed on a network-reachable interface is vulnerable.
Remediation and Mitigation
The primary and mandatory action is to update the affected software immediately.
- Update PraisonAI to version 4.5.139 or later.
- Update the
praisonaiagentspackage to version 1.5.140 or later.
These updated versions contain the necessary fixes. If immediate updating is not possible, you must ensure the PraisonAI browser bridge service is not exposed to untrusted networks. Restrict network access using host-based firewalls or by running the service in a strictly isolated network segment. Do not rely on the default binding to 0.0.0.0 in production environments.
Security Insight
This vulnerability highlights the acute risks introduced by AI-powered automation tools that bridge digital agents and physical user sessions. Similar to past incidents where AI SOC agents can mask underlying security gaps, the advanced functionality of PraisonAI was undermined by a foundational security oversight in session management. As threat actors begin to adopt tools like CyberStrikeAI for their own attacks, the security of the AI tools themselves becomes the first line of defense.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network....
PraisonAI is a multi-agent teams system. Prior to version 4.5.97, the PraisonAI Gateway server accepts WebSocket connections at /ws and serves agent topology at /info with no authentication. Any netwo...
OneUptime is an open-source monitoring and observability platform. Prior to version 10.0.42, unauthenticated access to Notification test and Phone Number management endpoints allows SMS/Call/Email/Wha...
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /...