CVE-2026-39889: PraisonAI: unauth A2U stream leaks all agent activity

GHSA-f292-66h9-fpmf HIGH
Published April 8, 2026
CISO Take

PraisonAI's A2U event stream server exposes live agent activity to any unauthenticated network attacker via five unprotected endpoints — no credentials required to subscribe and receive a real-time SSE feed of agent responses, internal reasoning, and tool call arguments. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N), exploitation requires only two HTTP requests and zero specialized knowledge, making this accessible to even opportunistic attackers against any internet-exposed PraisonAI deployment. This is the second authentication gap discovered in PraisonAI within weeks (following CVE-2026-34952), indicating systemic auth hygiene issues in the A2U communication layer rather than an isolated oversight. Organizations running praisonai <= 4.5.114 should upgrade to 4.5.115 immediately; if patching is delayed, block all /a2u/* endpoints at the network perimeter until the fix is applied.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

High risk. The vulnerability is unauthenticated (PR:N), network-accessible (AV:N), low-complexity (AC:L), and requires no user interaction (UI:N). In AI agent deployments, this grants adversaries a real-time window into the agent's full cognitive process: internal thinking chains, tool invocation arguments (which frequently carry business-sensitive payloads including API keys, database queries, and document content), and complete agent responses. The exposure of 'agent.thinking' events is particularly severe as it can surface system prompt fragments and proprietary reasoning not intended for any external party. Risk is compounded by the pattern of repeated auth bypasses in PraisonAI, which may indicate broader architectural gaps across the codebase.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.114 4.5.115
1 dependents 82% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
0.4%
chance of exploitation in 30 days
Higher than 34% of all CVEs
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C High
I None
A None

What should I do?

5 steps
  1. Patch immediately: upgrade praisonai to >= 4.5.115.

  2. If patching is delayed: block all /a2u/* endpoint paths at the network layer via firewall rules, reverse proxy ACLs, or WAF policy.

  3. Detection: audit web/proxy logs for unauthorized access to /a2u/subscribe, /a2u/events/*, /a2u/info, and /a2u/health — any access from non-whitelisted sources constitutes a confirmed exposure event.

  4. Scope assessment: determine whether the A2U server was internet-facing or only internally exposed; if internet-facing, treat as a potential data breach and review what agent activity was streamed during the exposure window.

  5. Audit posture: given CVE-2026-34952 preceded this, audit all other PraisonAI-exposed endpoints for similar missing authentication checks before assuming the patch resolves all gaps.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable Yes
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 9 - Risk Management System
ISO 42001
A.9.3 - AI System Information Security
NIST AI RMF
GOVERN-6.2 - Policies and Procedures for AI Risk Oversight
OWASP LLM Top 10
LLM02:2025 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-39889?

PraisonAI's A2U event stream server exposes live agent activity to any unauthenticated network attacker via five unprotected endpoints — no credentials required to subscribe and receive a real-time SSE feed of agent responses, internal reasoning, and tool call arguments. With a CVSS of 7.5 (AV:N/AC:L/PR:N/UI:N), exploitation requires only two HTTP requests and zero specialized knowledge, making this accessible to even opportunistic attackers against any internet-exposed PraisonAI deployment. This is the second authentication gap discovered in PraisonAI within weeks (following CVE-2026-34952), indicating systemic auth hygiene issues in the A2U communication layer rather than an isolated oversight. Organizations running praisonai <= 4.5.114 should upgrade to 4.5.115 immediately; if patching is delayed, block all /a2u/* endpoints at the network perimeter until the fix is applied.

Is CVE-2026-39889 actively exploited?

No confirmed active exploitation of CVE-2026-39889 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-39889?

1. Patch immediately: upgrade praisonai to >= 4.5.115. 2. If patching is delayed: block all /a2u/* endpoint paths at the network layer via firewall rules, reverse proxy ACLs, or WAF policy. 3. Detection: audit web/proxy logs for unauthorized access to /a2u/subscribe, /a2u/events/*, /a2u/info, and /a2u/health — any access from non-whitelisted sources constitutes a confirmed exposure event. 4. Scope assessment: determine whether the A2U server was internet-facing or only internally exposed; if internet-facing, treat as a potential data breach and review what agent activity was streamed during the exposure window. 5. Audit posture: given CVE-2026-34952 preceded this, audit all other PraisonAI-exposed endpoints for similar missing authentication checks before assuming the patch resolves all gaps.

What systems are affected by CVE-2026-39889?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent systems, AI-powered applications, event-driven AI pipelines.

What is the CVSS score for CVE-2026-39889?

CVE-2026-39889 has a CVSS v3.1 base score of 7.5 (HIGH). The EPSS exploitation probability is 0.43%.

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent systemsAI-powered applicationsevent-driven AI pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0057 LLM Data Leakage
AML.T0063 Discover AI Model Outputs
AML.T0084 Discover AI Agent Configuration
AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Article 9
ISO 42001: A.9.3
NIST AI RMF: GOVERN-6.2
OWASP LLM Top 10: LLM02:2025

What are the technical details?

Original Advisory

The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952. The create_a2u_routes() function registers the following endpoints with NO authentication checks: - GET /a2u/info — exposes server info and stream names - POST /a2u/subscribe — creates event stream subscription - GET /a2u/events/{stream_name} — streams ALL agent events - GET /a2u/events/sub/{id} — streams events for subscription - GET /a2u/health — health check An unauthenticated attacker can: 1. POST /a2u/subscribe → receive subscription_id 2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream of all agent events including responses, tool calls, and thinking This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker. <img width="1512" height="947" alt="image" src="https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248" /> <img width="1512" height="571" alt="image" src="https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4" /> [1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b [2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]} [3] GET /a2u/health (no auth token) Status: 200 Response: {"status":"healthy","active_subscriptions":1,"active_streams":1} Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time

Exploitation Scenario

An attacker targeting an organization using PraisonAI enumerates the A2U component via /a2u/health fingerprinting or path discovery. With no credentials, they POST to /a2u/subscribe and receive a subscription_id in the response. They then open a persistent SSE connection to GET /a2u/events/sub/{subscription_id} and begin receiving a continuous real-time stream of all agent events: 'agent.thinking' events expose internal reasoning chains and potential system prompt fragments; 'agent.tool_call' events reveal tool invocations with full argument payloads including any database queries, API calls, file read operations, or credentials passed to tools; 'agent.response' events deliver the agent's final outputs. The attacker gains complete operational visibility into the AI agent's activity with zero interaction from the victim and no risk of detection beyond standard HTTP access logs.

Weaknesses (CWE)

CWE-200 — Exposure of Sensitive Information to an Unauthorized Actor: The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

  • [Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Timeline

Published
April 8, 2026
Last Modified
April 9, 2026
First Seen
April 8, 2026

Related Vulnerabilities