CVE-2026-56076
Gravedad CVSS v4.0:
ALTA
Tipo:
No Disponible / Otro tipo
Fecha de publicación:
18/06/2026
Última modificación:
22/06/2026
Descripción
*** Pendiente de traducción *** PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.
Impacto
Puntuación base 4.0
8.60
Gravedad 4.0
ALTA
Puntuación base 3.x
8.10
Gravedad 3.x
ALTA
Referencias a soluciones, herramientas e información
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4
- https://www.vulncheck.com/advisories/praisonai-cross-origin-agent-execution-via-hardcoded-wildcard-cors-and-missing-authentication-on-agui-endpoint
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4



