CVE-2026-40289
Unauthenticated Remote Session Hijacking in PraisonAI Browser Bridge
Publication date: 2026-04-14
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonai | to 4.5.139 (exc) |
| praison | praisonaiagents | to 1.5.140 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40289 is a critical vulnerability in PraisonAI's browser bridge component, affecting versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents. The issue arises because the browser bridge exposes a WebSocket endpoint (/ws) bound to all network interfaces (0.0.0.0) by default and does not require authentication.
The server only validates the Origin header if it is present, but accepts connections from clients that omit this header without restriction. This allows an unauthenticated attacker to connect remotely, send a start_session message, and hijack an active browser automation session by routing the message to the first idle browser-extension WebSocket client.
As a result, the attacker gains unauthorized remote control over the connected browser automation session, can receive sensitive page context and automation outputs, and misuse model-backed browser actions. This vulnerability stems from a flawed trust model that assumes all WebSocket peers are trusted local components, which is not enforced.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized remote control of browser automation sessions, which can lead to misuse of automation capabilities.
An attacker can hijack active sessions to access sensitive page content and automation results, potentially leaking confidential information.
Because the server binds to all network interfaces by default, any network-reachable instance is vulnerable, increasing the risk of exploitation in environments where the bridge is exposed beyond localhost.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the PraisonAI Browser Server is running a vulnerable version (below 4.5.139) or praisonaiagents below 1.5.140 and if the browser bridge is bound to 0.0.0.0, exposing the /ws WebSocket endpoint without authentication.
To detect the vulnerability on your network or system, you can scan for open WebSocket endpoints on port(s) used by PraisonAI and check if the Origin header is being validated or if connections without it are accepted.
Suggested commands include using network scanning and WebSocket testing tools such as:
- Use nmap to detect open ports and services: nmap -p <port> --script http-websocket <target-ip>
- Use a WebSocket client (e.g., websocat or wscat) to connect to the /ws endpoint without an Origin header and attempt to send a start_session message to see if the server accepts it.
- Example with websocat: websocat ws://<target-ip>:<port>/ws (omit Origin header) and send a JSON message {"type": "start_session"} to test if the connection is accepted and routed.
If the server accepts connections without an Origin header and routes start_session messages to connected clients, the vulnerability is present.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade PraisonAI to version 4.5.139 or later and praisonaiagents to version 1.5.140 or later where the vulnerability is fixed.
- Configure the browser bridge to bind only to localhost (127.0.0.1) instead of 0.0.0.0 to prevent network exposure.
- Implement explicit authentication for all WebSocket clients connecting to the /ws endpoint.
- Reject WebSocket handshake requests that do not include a valid Origin header unless the connection is on a secured, authenticated localhost-only transport.
- Avoid routing start_session messages to the first idle connection; instead, explicitly pair authenticated controller and extension clients.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthorized remote control of browser automation sessions and leakage of sensitive page content and automation results. Such unauthorized access and data leakage can lead to violations of data protection and privacy regulations like GDPR and HIPAA, which require strict controls on access to sensitive personal and health information.
Because the vulnerability enables unauthenticated attackers to hijack sessions and access sensitive data without authorization, it undermines confidentiality and integrity requirements mandated by these standards. Organizations using affected versions of PraisonAI may fail to meet compliance obligations related to protecting sensitive data from unauthorized access.
Mitigations such as requiring explicit authentication, restricting network exposure, and validating client origins are necessary to maintain compliance with these regulations by preventing unauthorized data access.