LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-40289

CVE-2026-40289 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: April 14, 2026

PraisonAI - Authentication Bypass & Remote Session Hijacking

Published: April 14, 2026Updated: April 14, 2026Remote Exploitable

Overview

PraisonAI < 4.5.139 and praisonaiagents < 1.5.140 contain an unauthenticated remote session hijacking vulnerability caused by missing authentication and bypassable origin check on /ws WebSocket endpoint, letting unauthenticated network attackers hijack browser automation sessions and access sensitive data, exploit requires network access to the bridge.

Severity & Score

Severity: Critical
CVSS Score: 9.1
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can hijack browser automation sessions, access sensitive data, and control browser actions remotely.

Mitigation

Update to PraisonAI 4.5.139 and praisonaiagents 1.5.140 or later.

References

Social Media Activity(4 posts)

OffSequence
OffSequence
@offseq
Apr 14, 2026

āš ļø CVE-2026-40289: PraisonAI <4.5.139 & praisonaiagents <1.5.140 have a critical missing auth vuln on /ws. Remote attackers can hijack browser automation sessions. Patch ASAP or restrict access! https://radar.offseq.com/threat/cve-2026-40289-cwe-306-missing-authentication-for--874e515b #OffSeq #Infosec #Vulnerability #PraisonAI

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 14, 2026

šŸ”“ CVE-2026-40289 - Critical (9.1) PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40289/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
OffSequence
OffSequence
@offseq
Apr 14, 2026

āš ļø CVE-2026-40289: PraisonAI <4.5.139 & praisonaiagents <1.5.140 have a critical missing auth vuln on /ws. Remote attackers can hijack browser automation sessions. Patch ASAP or restrict access! https://radar.offseq.com/threat/cve-2026-40289-cwe-306-missing-authentication-for--874e515b #OffSeq #Infosec #Vulnerability #PraisonAI

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Apr 14, 2026

šŸ”“ CVE-2026-40289 - Critical (9.1) PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentication an... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-40289/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-40289
Severity
Critical
CVSS Score
9.1
Type
broken_authentication
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score

0.0%Probability of exploitation in the next 30 days