{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-40289/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-40289"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["cve-2026-40289","websocket","remote-code-execution","praisonai"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003ePraisonAI, a multi-agent team system, is affected by a critical vulnerability (CVE-2026-40289) in versions prior to 4.5.139 and praisonaiagents versions prior to 1.5.140. The vulnerability lies in the browser bridge component (\u0026ldquo;praisonai browser start\u0026rdquo;), which lacks proper authentication and has a bypassable origin check on its /ws WebSocket endpoint. The server, binding to 0.0.0.0 by default, inadequately validates the Origin header, permitting connections from non-browser clients omitting this header. This flaw allows an unauthenticated attacker to remotely hijack sessions and broadcast automation actions and outputs. This can lead to unauthorized remote control of connected browser automation sessions, leakage of sensitive page context and automation results, and misuse of model-backed browser actions. Defenders must prioritize patching affected systems to mitigate this severe risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a vulnerable PraisonAI instance with network access to the browser bridge component.\u003c/li\u003e\n\u003cli\u003eAttacker establishes a direct WebSocket connection to the /ws endpoint of the browser bridge, omitting the Origin header to bypass the weak origin check.\u003c/li\u003e\n\u003cli\u003eAttacker sends a \u0026ldquo;start_session\u0026rdquo; message to the WebSocket endpoint.\u003c/li\u003e\n\u003cli\u003eThe server routes the attacker\u0026rsquo;s \u0026ldquo;start_session\u0026rdquo; request to the first idle browser-extension WebSocket, effectively hijacking that session.\u003c/li\u003e\n\u003cli\u003eThe hijacked browser session begins executing commands dictated by the attacker.\u003c/li\u003e\n\u003cli\u003eAll automation actions and outputs resulting from the hijacked session are broadcast back to the attacker via the WebSocket connection.\u003c/li\u003e\n\u003cli\u003eAttacker gains unauthorized remote control of the connected browser automation session.\u003c/li\u003e\n\u003cli\u003eAttacker exfiltrates sensitive data and/or misuses model-backed browser actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-40289 can lead to complete compromise of PraisonAI browser automation sessions. An attacker can gain unauthorized remote control, potentially leading to leakage of sensitive page context and automation results. Furthermore, they can misuse model-backed browser actions. The vulnerability affects all environments where the bridge is network-reachable. The severity of the impact is high, as it allows for unauthenticated remote code execution within the context of the PraisonAI browser extension.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade PraisonAI to version 4.5.139 or later, and praisonaiagents to version 1.5.140 or later to patch CVE-2026-40289.\u003c/li\u003e\n\u003cli\u003eMonitor network connections to the /ws endpoint on PraisonAI servers (logsource category: network_connection, product: windows/linux).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect suspicious websocket connections without origin header (see rule below).\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit network access to the PraisonAI browser bridge component.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-14T04:18:47Z","date_published":"2026-04-14T04:18:47Z","id":"/briefs/2026-04-praisonai-rce/","summary":"PraisonAI versions before 4.5.139 and praisonaiagents versions before 1.5.140 are vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on the /ws WebSocket endpoint, enabling unauthorized remote control and data leakage.","title":"PraisonAI Unauthenticated Remote Session Hijacking Vulnerability (CVE-2026-40289)","url":"https://feed.craftedsignal.io/briefs/2026-04-praisonai-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-40289","version":"https://jsonfeed.org/version/1.1"}