CVE-2026-40116 — HIGH (CVSS 7.5) AI Security Vulnerability

CISO Take

PraisonAI's /media-stream WebSocket endpoint (pre-4.5.128) accepts connections from any unauthenticated client and immediately opens a session to OpenAI's Realtime API using the server's credentials — no token, no Twilio signature, nothing. With no limits on concurrent connections, rate, or message size, any attacker who discovers the endpoint can spawn unlimited parallel sessions and exhaust both server resources and the victim's entire OpenAI API budget in minutes. The CVE is not in CISA KEV and carries no public exploit today, but the attack is trivially simple — a WebSocket client and the endpoint path is all that's required, placing exploitation within script-kiddie reach. Patch immediately to 4.5.128; if patching is delayed, block /media-stream at the network perimeter and rotate your OpenAI API key, then audit your OpenAI usage dashboard for anomalous spend spikes that may indicate prior exploitation.

Sources: NVD GitHub Advisory ATLAS

Risk Assessment

CVSS 7.5 (High) with AV:N/AC:L/PR:N/UI:N puts this in the highest exploitability tier — network-accessible, trivially low complexity, zero credentials required. The primary risk is financial (unbounded OpenAI API spend billed to the victim) and operational (service degradation from resource exhaustion). Without rate-limiting infrastructure upstream, a single attacker can cause material cost damage within minutes of discovery. Risk is amplified for any PraisonAI deployment exposed directly to the internet without a WAF, API gateway, or strict network segmentation.

Attack Kill Chain

Reconnaissance

Attacker identifies an internet-exposed PraisonAI deployment and discovers the /media-stream WebSocket endpoint via scanning, default port enumeration, or leaked configuration.

AML.T0006

Unauthenticated Access

Attacker connects to /media-stream without credentials — no authentication check or Twilio signature validation is enforced by the server.

AML.T0049

API Credential Abuse

Each WebSocket connection silently opens an authenticated OpenAI Realtime API session using the victim's server-side API key, transferring cost to the victim.

AML.T0040

Resource Exhaustion & Financial Harm

Hundreds of concurrent connections exhaust server resources and drain the victim's OpenAI API budget, causing service outage and unbounded financial damage.

AML.T0034

Reconnaissance

Attacker identifies an internet-exposed PraisonAI deployment and discovers the /media-stream WebSocket endpoint via scanning, default port enumeration, or leaked configuration.

AML.T0006

Unauthenticated Access

Attacker connects to /media-stream without credentials — no authentication check or Twilio signature validation is enforced by the server.

AML.T0049

API Credential Abuse

Each WebSocket connection silently opens an authenticated OpenAI Realtime API session using the victim's server-side API key, transferring cost to the victim.

AML.T0040

Resource Exhaustion & Financial Harm

Hundreds of concurrent connections exhaust server resources and drain the victim's OpenAI API budget, causing service outage and unbounded financial damage.

AML.T0034

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
praisonai	pip	—	No patch

Do you use praisonai? You're affected.

Severity & Risk

CVSS 3.1

7.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C None

I None

A High

Recommended Action

Patch: Upgrade praisonai to >= 4.5.128 immediately — this is the only complete fix.
Network containment: Block or restrict access to /media-stream WebSocket endpoint at the load balancer or WAF level if patching cannot be done immediately.
Rotate credentials: Rotate the OpenAI API key used by the PraisonAI server — assume it may have been abused by unauthorized parties.
Audit spend: Review OpenAI API usage logs for anomalous spikes in the Realtime API usage that would indicate exploitation occurred.
Hard limits: Set OpenAI usage alerts and hard spending caps via the OpenAI dashboard to constrain blast radius of future similar issues.
Detection: Alert on unusual WebSocket connection volume to /media-stream path and on unexpected OpenAI API spend increases above baseline.

Classification

Auth Bypass DoS Agent API AML.T0029 - Denial of AI Service AML.T0034 - Cost Harvesting AML.T0034.000 - Excessive Queries AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 9 - Risk Management System

ISO 42001

A.9.2 - Access Control to AI Systems

NIST AI RMF

GOVERN-1.7 - Processes for Identifying and Addressing AI Risks

OWASP LLM Top 10

LLM10 - Unbounded Consumption

Frequently Asked Questions

What is CVE-2026-40116?

PraisonAI's /media-stream WebSocket endpoint (pre-4.5.128) accepts connections from any unauthenticated client and immediately opens a session to OpenAI's Realtime API using the server's credentials — no token, no Twilio signature, nothing. With no limits on concurrent connections, rate, or message size, any attacker who discovers the endpoint can spawn unlimited parallel sessions and exhaust both server resources and the victim's entire OpenAI API budget in minutes. The CVE is not in CISA KEV and carries no public exploit today, but the attack is trivially simple — a WebSocket client and the endpoint path is all that's required, placing exploitation within script-kiddie reach. Patch immediately to 4.5.128; if patching is delayed, block /media-stream at the network perimeter and rotate your OpenAI API key, then audit your OpenAI usage dashboard for anomalous spend spikes that may indicate prior exploitation.

Is CVE-2026-40116 actively exploited?

No confirmed active exploitation of CVE-2026-40116 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-40116?

1. Patch: Upgrade praisonai to >= 4.5.128 immediately — this is the only complete fix. 2. Network containment: Block or restrict access to /media-stream WebSocket endpoint at the load balancer or WAF level if patching cannot be done immediately. 3. Rotate credentials: Rotate the OpenAI API key used by the PraisonAI server — assume it may have been abused by unauthorized parties. 4. Audit spend: Review OpenAI API usage logs for anomalous spikes in the Realtime API usage that would indicate exploitation occurred. 5. Hard limits: Set OpenAI usage alerts and hard spending caps via the OpenAI dashboard to constrain blast radius of future similar issues. 6. Detection: Alert on unusual WebSocket connection volume to /media-stream path and on unexpected OpenAI API spend increases above baseline.

What systems are affected by CVE-2026-40116?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API proxies, voice and conversational AI pipelines.

What is the CVSS score for CVE-2026-40116?

CVE-2026-40116 has a CVSS v3.1 base score of 7.5 (HIGH).

Technical Details

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits. This vulnerability is fixed in 4.5.128.

Exploitation Scenario

An attacker scans for PraisonAI deployments via Shodan or default port enumeration, or obtains the endpoint URL from leaked configuration or job postings. They write a trivial loop opening hundreds of simultaneous WebSocket connections to /media-stream — no credentials required, no challenge to solve. Each connection transparently proxies through to OpenAI's Realtime API using the server's key. The victim's OpenAI account accrues thousands of dollars in charges over hours while the PraisonAI server becomes unresponsive due to resource exhaustion. The attacker incurs zero cost and leaves minimal forensic traces beyond WebSocket access logs, which many organizations do not actively monitor.