PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication.
Metrics
Affected Vendors & Products
References
History
Sat, 11 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication. | |
| Title | PraisonAI before 1.7.3 Unauthenticated Agent Access via Insecure Defaults | |
| First Time appeared |
Praison
Praison praisonai |
|
| Weaknesses | CWE-200 | |
| CPEs | cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Praison
Praison praisonai |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-11T13:01:01.057Z
Reserved: 2026-07-09T14:05:21.470Z
Link: CVE-2026-61426
No data.
No data.
No data.
OpenCVE Enrichment
No data.