{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40116", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-09T01:41:38.537Z", "datePublished": "2026-04-09T21:20:24.708Z", "dateUpdated": "2026-04-14T14:42:42.722Z"}, "containers": {"cna": {"title": "PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits", "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"version": "< 4.5.128", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:20:24.708Z"}, "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128."}], "source": {"advisory": "GHSA-q5r4-47m9-5mc7", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-14T14:42:36.529534Z", "id": "CVE-2026-40116", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:42:42.722Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-40116", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:42:36.529534Z"}}}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:42:21.173Z"}}], "cna": {"title": "PraisonAI's Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits", "source": {"advisory": "GHSA-q5r4-47m9-5mc7", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "MervinPraison", "product": "PraisonAI", "versions": [{"status": "affected", "version": "< 4.5.128"}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "name": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770: Allocation of Resources Without Limits or Throttling"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-09T21:20:24.708Z"}}}, "cveMetadata": {"cveId": "CVE-2026-40116", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:42:42.722Z", "dateReserved": "2026-04-09T01:41:38.537Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-09T21:20:24.708Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "matchCriteriaId": "56CDE5F5-B03C-4C3A-9A92-F61C9DFDA9B1", "versionEndExcluding": "4.5.128", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128."}], "id": "CVE-2026-40116", "lastModified": "2026-04-17T18:33:22.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-09T22:16:35.297", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.5.128)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "PraisonAI", "source": "cna", "vendor": "MervinPraison"}, "product": "praisonai", "vendor": "mervinpraison"}], "analysis": {"en": {"generated_at": "2026-04-09T22:40:56.574370+00:00", "value": {"mitigation_remediation": ["Upgrade PraisonAI to version 4.5.128 or later, which implements authentication and rate limits on the media-stream endpoint."], "summary": {"action": "Immediate Patch", "impact": "Unauthenticated use of server resources and OpenAI API credits"}, "threat_synthesis": {"affected_systems": "The vulnerability affects PraisonAI products from MervinPraison. All versions before 4.5.128 are impacted. The failure is in the media\u2011stream WebSocket call module, which is a core component of the multi\u2011agent teams system.", "description_and_impact": "PraisonAI\u2019s /media-stream WebSocket endpoint allows any client to connect without authentication or Twilio signature validation. Each connection instantiates a session with OpenAI\u2019s Realtime API using the server\u2019s API key. Because there are no limits on concurrent connections, message rate or size, an attacker can use this path to exhaust server resources and drain the victim\u2019s OpenAI API credits. The weakness is an uncontrolled resource consumption flaw (CWE\u2011770).", "risk_and_exploitability": "The CVSS score of 7.5 indicates high severity, and the lack of authentication makes exploitation trivial for anyone with network access to the server. Because the endpoint is public, attackers can mount large\u2011scale requests, potentially causing a denial\u2011of\u2011service condition and inflating cloud costs. The EPSS score is not available, and the vulnerability is not listed in the KEV catalog, but the high CVSS and remote unauthenticated nature make it a significant risk."}}}}, "created": "2026-04-10T08:38:12.360253+00:00", "updated": "2026-04-10T09:28:54.848618+00:00", "vendors": ["mervinpraison", "mervinpraison$PRODUCT$praisonai"]}