CVE-2026-40289: CWE-306: Missing Authentication for Critical Function in MervinPraison PraisonAI
CVE-2026-40289 is a critical vulnerability in MervinPraison's PraisonAI versions below 4. 5. 139 and praisonaiagents below 1. 5. 140. The vulnerability arises from missing authentication on the /ws WebSocket endpoint of the browser bridge component, combined with a bypassable origin check. This allows unauthenticated remote attackers to hijack browser automation sessions by connecting to the WebSocket endpoint, sending a start_session message, and gaining control over the first idle browser-extension WebSocket. Exploitation can lead to unauthorized remote control, leakage of sensitive page context, and misuse of browser automation actions. The issue has been fixed in versions 4. 5.
AI Analysis
Technical Summary
PraisonAI's browser bridge component listens on all network interfaces (0.0.0.0) and exposes a /ws WebSocket endpoint that lacks proper authentication and only conditionally validates the Origin header. Non-browser clients can omit the Origin header to bypass this check. An unauthenticated attacker can connect to this endpoint, send a start_session message, and the server will route this to the first idle browser-extension WebSocket, effectively hijacking that session. This allows the attacker to receive all automation actions and outputs, enabling unauthorized control and data leakage. The vulnerability is identified as CWE-306 (Missing Authentication for Critical Function) and has a CVSS 3.1 score of 9.1 (critical). The vulnerability is fixed in PraisonAI 4.5.139 and praisonaiagents 1.5.140.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to hijack active browser automation sessions, leading to unauthorized remote control of browser actions, leakage of sensitive page context and automation results, and potential misuse of model-backed browser automation. This compromises confidentiality and integrity of the affected system's browser automation environment. Availability impact is not indicated.
Mitigation Recommendations
A fix is available in PraisonAI version 4.5.139 and praisonaiagents version 1.5.140. Users should upgrade to these or later versions to remediate the vulnerability. No official vendor advisory or temporary mitigations are provided in the available data. Until patched, restricting network access to the /ws WebSocket endpoint to trusted clients only may reduce exposure.
CVE-2026-40289: CWE-306: Missing Authentication for Critical Function in MervinPraison PraisonAI
Description
CVE-2026-40289 is a critical vulnerability in MervinPraison's PraisonAI versions below 4. 5. 139 and praisonaiagents below 1. 5. 140. The vulnerability arises from missing authentication on the /ws WebSocket endpoint of the browser bridge component, combined with a bypassable origin check. This allows unauthenticated remote attackers to hijack browser automation sessions by connecting to the WebSocket endpoint, sending a start_session message, and gaining control over the first idle browser-extension WebSocket. Exploitation can lead to unauthorized remote control, leakage of sensitive page context, and misuse of browser automation actions. The issue has been fixed in versions 4. 5.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
PraisonAI's browser bridge component listens on all network interfaces (0.0.0.0) and exposes a /ws WebSocket endpoint that lacks proper authentication and only conditionally validates the Origin header. Non-browser clients can omit the Origin header to bypass this check. An unauthenticated attacker can connect to this endpoint, send a start_session message, and the server will route this to the first idle browser-extension WebSocket, effectively hijacking that session. This allows the attacker to receive all automation actions and outputs, enabling unauthorized control and data leakage. The vulnerability is identified as CWE-306 (Missing Authentication for Critical Function) and has a CVSS 3.1 score of 9.1 (critical). The vulnerability is fixed in PraisonAI 4.5.139 and praisonaiagents 1.5.140.
Potential Impact
Successful exploitation allows unauthenticated remote attackers to hijack active browser automation sessions, leading to unauthorized remote control of browser actions, leakage of sensitive page context and automation results, and potential misuse of model-backed browser automation. This compromises confidentiality and integrity of the affected system's browser automation environment. Availability impact is not indicated.
Mitigation Recommendations
A fix is available in PraisonAI version 4.5.139 and praisonaiagents version 1.5.140. Users should upgrade to these or later versions to remediate the vulnerability. No official vendor advisory or temporary mitigations are provided in the available data. Until patched, restricting network access to the /ws WebSocket endpoint to trusted clients only may reduce exposure.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69ddbc3182d89c981fc24dd2
Added to database: 4/14/2026, 4:01:53 AM
Last enriched: 4/14/2026, 4:17:02 AM
Last updated: 4/14/2026, 6:35:50 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.