{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40149", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T19:31:56.013Z", "datePublished": "2026-04-09T21:23:03.831Z", "dateUpdated": "2026-04-09T21:28:40.771Z"}, "containers": {"cna": {"title": "PraisonAI has an Unauthenticated Allow-List Manipulation Bypasses Agent Tool Approval Safety Controls", "problemTypes": [{"descriptions": [{"cweId": "CWE-396", "lang": "en", "description": "CWE-396: Declaration of Catch for Generic Exception", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:28:40.771Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128."}], "source": {"advisory": "GHSA-4wr3-f4p3-5wjh", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the gateway's /api/approval/allow-list endpoint permits unauthenticated modification of the tool approval allowlist when no auth_token is configured (the default). By adding dangerous tool names (e.g., shell_exec, file_write) to the allowlist, an attacker can cause the ExecApprovalManager to auto-approve all future agent invocations of those tools, bypassing the human-in-the-loop safety mechanism that the approval system is specifically designed to enforce. This vulnerability is fixed in 4.5.128."}], "id": "CVE-2026-40149", "lastModified": "2026-04-09T22:16:35.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 4.7, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:35.750", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-4wr3-f4p3-5wjh"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-396"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T22:39:59.801451+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to PraisonAI version 4.5.128 or later", "If a patch is unavailable, remove or disable the unauthenticated /api/approval/allow-list endpoint from the gateway configuration", "Restrict access to the gateway API to authorized users only, for example by placing it behind a VPN or firewall", "Monitor the allowlist for unauthorized changes and set up alerts to detect when dangerous tool names are added"], "summary": {"action": "Patch Immediately", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to MervinPraison PraisonAI versions prior to 4.5.128. The affected component is the gateway service that manages the tool approval allowlist.", "description_and_impact": "An unauthenticated modification of the gateway's /api/approval/allow-list endpoint allows an attacker to add dangerous tool names such as shell_exec or file_write to the allowlist. Once those names are auto\u2011approved, the agent can invoke them without human review, effectively bypassing the safety controls meant to prevent malicious activity. This results in the ability to execute arbitrary code or write files, compromising confidentiality, integrity, and availability of the system.", "risk_and_exploitability": "The CVSS score of 7.9 indicates a high severity. Exploitation is possible via unauthenticated HTTP requests to the /api/approval/allow-list endpoint; therefore the attack vector is likely network\u2011based web API access. The EPSS score is not provided, and the vulnerability is not listed in CISA\u2019s KEV catalog, but the high CVSS and completeness of the attack path suggest that attackers may find this asset appealing, especially in environments where the gateway is exposed."}}}}, "created": "2026-04-10T08:38:09.335639+00:00", "updated": "2026-04-10T09:28:51.904714+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}