Back to overview

CVE-2026-61426

HIGH
8.6
CVSS 3.1
Description
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication.

Metadata

CVE ID
CVE-2026-61426
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-09 14:05 UTC
Published
2026-07-11 13:01 UTC
Last updated
2026-07-11 13:01 UTC
Primary CWE
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
Vendor / Product
MervinPraison / PraisonAI
Sources
cve.org  ·  NVD

Severity & Metrics

8.6 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
Affected products (1)
VendorProductPlatformVersions
MervinPraison PraisonAI 0 < 1.7.3, 1.7.3
Weakness (CWE)
CWESourceDescription
CWE-200 cna Exposure of Sensitive Information to an Unauthorized Actor
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.8 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
8.6 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
References (2)
Back to overview