CVE-2026-39889

HIGH7.5EPSS 0.02%

PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server

發布日:2026/4/8修改日:2026/4/9

描述

The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952. The create_a2u_routes() function registers the following endpoints with NO authentication checks: - GET /a2u/info — exposes server info and stream names - POST /a2u/subscribe — creates event stream subscription - GET /a2u/events/{stream_name} — streams ALL agent events - GET /a2u/events/sub/{id} — streams events for subscription - GET /a2u/health — health check An unauthenticated attacker can: 1. POST /a2u/subscribe → receive subscription_id 2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream of all agent events including responses, tool calls, and thinking This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker. <img width="1512" height="947" alt="image" src="https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248" /> <img width="1512" height="571" alt="image" src="https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4" /> [1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b [2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]} [3] GET /a2u/health (no auth token) Status: 200 Response: {"status":"healthy","active_subscriptions":1,"active_streams":1} Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time

受影響套件(1)

PyPI/praisonaifrom 0, < 4.5.115

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

描述

受影響套件(1)

CVSS 分數

參考連結(4)