Tag

Api-Abuse

3 briefs RSS

npm PraisonAI AgentOS Unauthenticated API Exposure

The npm `praisonai` package's TypeScript `AgentOS` HTTP server defaults to `0.0.0.0` and exposes unauthenticated API endpoints (`/api/agents`, `/api/chat`), allowing attackers to disclose agent configurations and invoke agents without authorization, leading to potential data exfiltration, unauthorized actions, and resource consumption.

praisonai api-abuse unauthenticated-access information-disclosure server-side-request-forgery web node.js npm

2r 4t 2d ago

high advisory

PraisonAI Unauthenticated WebSocket Allows Resource Exhaustion

2 rules 1 TTP 1 CVE

PraisonAI before version 4.5.128 is vulnerable to resource exhaustion and API credit draining due to the `/media-stream` WebSocket endpoint accepting unauthenticated connections, allowing attackers to exhaust server resources and drain OpenAI API credits.

cve-2026-40116 resource-exhaustion websocket api-abuse cloud

2r 1t 1c Apr 9, 2026

high advisory

gmaps-mcp Unauthenticated HTTP Transport Allows Unlimited Google Maps API Calls

2 rules 1 IOC

The gmaps-mcp package allows unauthenticated access to Google Maps API calls when deployed with a blank MCP_API_KEY, potentially leading to significant financial costs for the operator; it also permits path injection attacks.

Places API +1 googlemaps unauthenticated-access api-abuse injection

2r 1i Jan 30, 2024