CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-61426: PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET

highCVSS 8.6CVE-2026-61426
PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication.

Details

Source
NVD Recent CVEs (US · database · site)
Severity
high — CVSS 8.6
Published
2026-07-11
Last updated
2026-07-11
Exploitation
Not in CISA KEV at last sync

Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-61426

Referenced CVEs

CVECSIRTS overviewExternal
CVE-2026-61426coverage & exploitation statusNVD · CVE.org

Recent advisories for PraisonAI

A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.

More from NVD Recent CVEs