CVE-2026-40149
Unauthenticated Allowlist Modification in PraisonAI Enables Approval Bypass
Publication date: 2026-04-09
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.128 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-396 | Catching overly broad exceptions promotes complex error handling code that is more likely to contain security vulnerabilities. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in PraisonAI versions prior to 4.5.128 in the gateway's /api/approval/allow-list endpoint. When no authentication token is configured (which is the default setting), this endpoint allows unauthenticated users to modify the tool approval allowlist.
An attacker can add dangerous tool names such as shell_exec or file_write to this allowlist. Doing so causes the ExecApprovalManager to automatically approve all future invocations of those tools by agents, effectively bypassing the human-in-the-loop safety mechanism that is intended to control and approve tool usage.
This vulnerability is fixed in version 4.5.128.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker can bypass critical safety controls by modifying the tool approval allowlist without authentication.
This allows the attacker to execute dangerous tools automatically, potentially leading to unauthorized code execution or file manipulation.
Because the human-in-the-loop approval mechanism is bypassed, malicious actions can proceed without oversight, increasing the risk of system compromise or data integrity issues.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking if the PraisonAI gateway's /api/approval/allow-list endpoint is accessible without authentication and if the auth_token is not configured (default setting).
One approach is to attempt accessing the /api/approval/allow-list endpoint on the PraisonAI gateway and observe if modifications to the tool approval allowlist can be made without authentication.
Since no specific commands or tools are provided in the context, a general method would be to use curl or similar HTTP clients to test the endpoint, for example:
- curl -X POST http://<praisonai_gateway>/api/approval/allow-list -d '{"tool_name":"shell_exec"}'
If the request succeeds without authentication and modifies the allowlist, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade PraisonAI to version 4.5.128 or later, where this vulnerability is fixed.
If upgrading immediately is not possible, configure an auth_token on the gateway to prevent unauthenticated access to the /api/approval/allow-list endpoint.
Additionally, review and restrict access to the gateway to trusted users only, and monitor for any unauthorized modifications to the tool approval allowlist.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated modification of the tool approval allowlist, which bypasses the human-in-the-loop safety mechanism designed to prevent unauthorized tool execution.
Such unauthorized access and control could lead to improper handling of sensitive data or unauthorized actions within the system, potentially violating security and privacy requirements mandated by standards like GDPR and HIPAA.
However, the provided information does not explicitly describe the direct impact on compliance with these regulations.