CVE-2026-40149

high

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128.

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh

Details

Source: Mitre, NVD

Published: 2026-04-09

Updated: 2026-04-20

Risk Information

CVSS v2

Base Score: 5.2

Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:C/A:N

Severity: Medium

CVSS v3

Base Score: 7.3

Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

Severity: High

EPSS

EPSS: 0.00012

Detections

Analytics