{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-39889/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-39889"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2026-39889","information-disclosure","web-application"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent teams system, is vulnerable to unauthenticated information disclosure in versions prior to 4.5.115. The vulnerability, identified as CVE-2026-39889, stems from the A2U (Agent-to-User) event stream server exposing sensitive agent activity without proper authentication. The \u003ccode\u003ecreate_a2u_routes()\u003c/code\u003e function registers several endpoints, including \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e, \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e, and \u003ccode\u003e/a2u/health\u003c/code\u003e, without implementing authentication checks. An attacker can exploit this flaw to gain unauthorized insight into agent operations within the PraisonAI system. This vulnerability was reported on April 8, 2026, and patched in version 4.5.115.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a PraisonAI instance running a version prior to 4.5.115.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the \u003ccode\u003e/a2u/info\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe server responds with information about the available agent activity streams without requiring any authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker subscribes to a specific agent activity stream by sending an HTTP GET request to \u003ccode\u003e/a2u/subscribe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server provides the attacker with a stream ID, again without authentication.\u003c/li\u003e\n\u003cli\u003eThe attacker then requests event data from the \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e endpoint, substituting \u003ccode\u003e{stream_name}\u003c/code\u003e with a valid stream name obtained from \u003ccode\u003e/a2u/info\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker requests event data from the \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e endpoint, where \u0026lsquo;{id}\u0026rsquo; is a stream ID obtained from \u003ccode\u003e/a2u/subscribe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe server streams agent activity data to the attacker, enabling them to monitor agent actions and potentially extract sensitive information. The final objective is to gain unauthorized access to agent activity data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-39889 can lead to the unauthorized disclosure of sensitive information related to agent activity within the PraisonAI system. This could include confidential data processed by the agents, internal operational details, and potentially credentials or API keys used by the agents. While the exact number of affected installations is unknown, any organization using PraisonAI versions prior to 4.5.115 is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI installations to version 4.5.115 or later to remediate CVE-2026-39889.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests to the \u003ccode\u003e/a2u/info\u003c/code\u003e, \u003ccode\u003e/a2u/subscribe\u003c/code\u003e, \u003ccode\u003e/a2u/events/{stream_name}\u003c/code\u003e, \u003ccode\u003e/a2u/events/sub/{id}\u003c/code\u003e, and \u003ccode\u003e/a2u/health\u003c/code\u003e endpoints without prior authentication. Consider deploying the Sigma rule provided below to detect such activity.\u003c/li\u003e\n\u003cli\u003eImplement network access controls to restrict access to the PraisonAI server to only authorized users and systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-08T21:17:01Z","date_published":"2026-04-08T21:17:01Z","id":"/briefs/2026-04-praisonai-unauth-access/","summary":"PraisonAI versions prior to 4.5.115 expose agent activity without authentication due to improperly secured A2U event stream endpoints, potentially allowing unauthorized access to sensitive agent information.","title":"PraisonAI Unauthenticated Agent Activity Exposure (CVE-2026-39889)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-unauth-access/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-39889","version":"https://jsonfeed.org/version/1.1"}