CVE-2026-39889: PraisonAI: unauth A2U stream leaks all agent activity

Published April 8, 2026

CISO Take

PraisonAI's A2U event stream server exposes live agent activity to any unauthenticated network attacker via five unprotected endpoints — no credentials required to subscribe and receive a real-time SSE feed of agent responses, internal reasoning, and tool call arguments. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N), exploitation requires only two HTTP requests and zero specialized knowledge, making this accessible to even opportunistic attackers against any internet-exposed PraisonAI deployment. This is the second authentication gap discovered in PraisonAI within weeks (following CVE-2026-34952), indicating systemic auth hygiene issues in the A2U communication layer rather than an isolated oversight. Organizations running praisonai <= 4.5.114 should upgrade to 4.5.115 immediately; if patching is delayed, block all /a2u/* endpoints at the network perimeter until the fix is applied.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

High risk. The vulnerability is unauthenticated (PR:N), network-accessible (AV:N), low-complexity (AC:L), and requires no user interaction (UI:N). In AI agent deployments, this grants adversaries a real-time window into the agent's full cognitive process: internal thinking chains, tool invocation arguments (which frequently carry business-sensitive payloads including API keys, database queries, and document content), and complete agent responses. The exposure of 'agent.thinking' events is particularly severe as it can surface system prompt fragments and proprietary reasoning not intended for any external party. Risk is compounded by the pattern of repeated auth bypasses in PraisonAI, which may indicate broader architectural gaps across the codebase.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
praisonai	pip	<= 4.5.114	`4.5.115`

Do you use praisonai? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Recommended Action

Patch immediately: upgrade praisonai to >= 4.5.115.
If patching is delayed: block all /a2u/* endpoint paths at the network layer via firewall rules, reverse proxy ACLs, or WAF policy.
Detection: audit web/proxy logs for unauthorized access to /a2u/subscribe, /a2u/events/*, /a2u/info, and /a2u/health — any access from non-whitelisted sources constitutes a confirmed exposure event.
Scope assessment: determine whether the A2U server was internet-facing or only internally exposed; if internet-facing, treat as a potential data breach and review what agent activity was streamed during the exposure window.
Audit posture: given CVE-2026-34952 preceded this, audit all other PraisonAI-exposed endpoints for similar missing authentication checks before assuming the patch resolves all gaps.

Classification

Auth Bypass Data Leakage Data Extraction Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0057 - LLM Data Leakage AML.T0063 - Discover AI Model Outputs AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.9.3 - AI System Information Security

NIST AI RMF

GOVERN-6.2 - Policies and Procedures for AI Risk Oversight

OWASP LLM Top 10

LLM02:2025 - Sensitive Information Disclosure

Technical Details

NVD Description

The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952. The create_a2u_routes() function registers the following endpoints with NO authentication checks: - GET /a2u/info — exposes server info and stream names - POST /a2u/subscribe — creates event stream subscription - GET /a2u/events/{stream_name} — streams ALL agent events - GET /a2u/events/sub/{id} — streams events for subscription - GET /a2u/health — health check An unauthenticated attacker can: 1. POST /a2u/subscribe → receive subscription_id 2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream of all agent events including responses, tool calls, and thinking This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker. <img width="1512" height="947" alt="image" src="https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248" /> <img width="1512" height="571" alt="image" src="https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4" /> [1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b [2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]} [3] GET /a2u/health (no auth token) Status: 200 Response: {"status":"healthy","active_subscriptions":1,"active_streams":1} Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time

Exploitation Scenario

An attacker targeting an organization using PraisonAI enumerates the A2U component via /a2u/health fingerprinting or path discovery. With no credentials, they POST to /a2u/subscribe and receive a subscription_id in the response. They then open a persistent SSE connection to GET /a2u/events/sub/{subscription_id} and begin receiving a continuous real-time stream of all agent events: 'agent.thinking' events expose internal reasoning chains and potential system prompt fragments; 'agent.tool_call' events reveal tool invocations with full argument payloads including any database queries, API calls, file read operations, or credentials passed to tools; 'agent.response' events deliver the agent's final outputs. The attacker gains complete operational visibility into the AI agent's activity with zero interaction from the victim and no risk of detection beyond standard HTTP access logs.