CVE-2026-56076: PraisonAI CORS bypass enables

CISO Take

PraisonAI's AGUI endpoint combines three weaknesses into a complete attack chain: no authentication, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing — allowing any attacker-controlled web page to trigger arbitrary agent execution on behalf of a visiting user without triggering CORS preflight. The blast radius is significant: a victim visiting a malicious page while PraisonAI is running silently exposes all tool execution results and environment data, including API keys for LLM providers, file system contents, and any credentials available to the agent runtime. With CVSS 8.1, zero authentication barrier on the server, and 112 prior CVEs in this package, this is not a theoretical risk — PraisonAI has a demonstrated history of security debt in a framework that commonly holds privileged credentials. Upgrade immediately to 1.5.128 or later; if patching is blocked, restrict /agui to localhost via reverse proxy and rotate all API keys accessible to the agent environment.

Sources: NVD GitHub Advisory ATLAS VulnCheck

What is the risk?

High. The attack requires only that a victim visit an attacker-controlled page while PraisonAI is running, a low bar in developer and internal tooling environments where social engineering or malicious ads can deliver the payload. Server-side there are no compensating controls: no authentication, no origin validation, no CSRF protection. The exploitation technique (simple cross-origin POST bypassing preflight via text/plain Content-Type) is trivial and requires no AI/ML expertise. The 112-CVE history for this package signals systemic security debt rather than isolated incidents. The primary constraint is the UI:R requirement, which prevents fully automated mass exploitation but does not materially reduce risk for targeted campaigns.

How does the attack unfold?

Drive-by Delivery

Attacker hosts a malicious web page and lures a PraisonAI user to visit it via phishing or malicious ad; the page embeds JavaScript targeting the victim's /agui endpoint.

AML.T0078

CORS Bypass & Exploitation

JavaScript sends a cross-origin POST with Content-Type: text/plain; Starlette parses the JSON payload regardless and the wildcard CORS header allows the browser to deliver the response — no preflight, no auth required.

AML.T0049

Unauthorized Agent Tool Invocation

The attacker-controlled payload triggers arbitrary agent workflows, executing tools such as environment variable dumpers, file readers, or external API callers within the victim's PraisonAI context.

AML.T0053

Credential & Data Exfiltration

Complete agent responses — including LLM provider API keys, database credentials, and tool output — are returned cross-origin to the attacker's JavaScript and shipped to attacker-controlled infrastructure.

AML.T0086

Drive-by Delivery

Attacker hosts a malicious web page and lures a PraisonAI user to visit it via phishing or malicious ad; the page embeds JavaScript targeting the victim's /agui endpoint.

AML.T0078

CORS Bypass & Exploitation

JavaScript sends a cross-origin POST with Content-Type: text/plain; Starlette parses the JSON payload regardless and the wildcard CORS header allows the browser to deliver the response — no preflight, no auth required.

AML.T0049

Unauthorized Agent Tool Invocation

The attacker-controlled payload triggers arbitrary agent workflows, executing tools such as environment variable dumpers, file readers, or external API callers within the victim's PraisonAI context.

AML.T0053

Credential & Data Exfiltration

Complete agent responses — including LLM provider API keys, database credentials, and tool output — are returned cross-origin to the attacker's JavaScript and shipped to attacker-controlled infrastructure.

AML.T0086

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	—	No patch
1 dependents 83% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1

8.1 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR None

UI Required

S Unchanged

C High

I High

A None

What should I do?

5 steps

Patch: upgrade PraisonAI to 1.5.128 or later — this is the only complete fix.
Immediate workaround if patching is blocked: restrict /agui to 127.0.0.1 via reverse proxy (Nginx: allow 127.0.0.1; deny all; on the AGUI location block) and require authentication via API gateway or mTLS.
Credential rotation: audit and rotate all API keys, tokens, and credentials accessible to the PraisonAI agent environment — treat them as compromised.
Detection: query web server logs for POST /agui requests with non-localhost Origin headers; alert on unexpected agent execution during off-hours.
Network control: enforce strict CORS allowlists in all AI agent framework deployments; require authentication on every agent API endpoint regardless of perceived network perimeter.

How is it classified?

Auth Bypass Data Extraction Code Execution Agent API Framework AML.T0049 - Exploit Public-Facing Application AML.T0053 - AI Agent Tool Invocation AML.T0078 - Drive-by Compromise AML.T0083 - Credentials from AI Agent Configuration AML.T0084 - Discover AI Agent Configuration AML.T0086 - Exfiltration via AI Agent Tool Invocation

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Article 9 - Risk management system

ISO 42001

A.10.1 - Resources for AI systems

NIST AI RMF

MANAGE 2.2 - Mechanisms to sustain value and manage risks of deployed AI systems

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM08 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-56076?

PraisonAI's AGUI endpoint combines three weaknesses into a complete attack chain: no authentication, a hardcoded wildcard CORS header, and Starlette's Content-Type-agnostic JSON parsing — allowing any attacker-controlled web page to trigger arbitrary agent execution on behalf of a visiting user without triggering CORS preflight. The blast radius is significant: a victim visiting a malicious page while PraisonAI is running silently exposes all tool execution results and environment data, including API keys for LLM providers, file system contents, and any credentials available to the agent runtime. With CVSS 8.1, zero authentication barrier on the server, and 112 prior CVEs in this package, this is not a theoretical risk — PraisonAI has a demonstrated history of security debt in a framework that commonly holds privileged credentials. Upgrade immediately to 1.5.128 or later; if patching is blocked, restrict /agui to localhost via reverse proxy and rotate all API keys accessible to the agent environment.

Is CVE-2026-56076 actively exploited?

No confirmed active exploitation of CVE-2026-56076 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56076?

1. Patch: upgrade PraisonAI to 1.5.128 or later — this is the only complete fix. 2. Immediate workaround if patching is blocked: restrict /agui to 127.0.0.1 via reverse proxy (Nginx: `allow 127.0.0.1; deny all;` on the AGUI location block) and require authentication via API gateway or mTLS. 3. Credential rotation: audit and rotate all API keys, tokens, and credentials accessible to the PraisonAI agent environment — treat them as compromised. 4. Detection: query web server logs for POST /agui requests with non-localhost Origin headers; alert on unexpected agent execution during off-hours. 5. Network control: enforce strict CORS allowlists in all AI agent framework deployments; require authentication on every agent API endpoint regardless of perceived network perimeter.

What systems are affected by CVE-2026-56076?

This vulnerability affects the following AI/ML architecture patterns: AI agent frameworks, Multi-agent orchestration platforms, Developer AI tooling, Internal AI automation pipelines.

What is the CVSS score for CVE-2026-56076?

CVE-2026-56076 has a CVSS v3.1 base score of 8.1 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent frameworksMulti-agent orchestration platformsDeveloper AI toolingInternal AI automation pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0053 AI Agent Tool Invocation

AML.T0078 Drive-by Compromise

AML.T0083 Credentials from AI Agent Configuration

AML.T0084 Discover AI Agent Configuration

AML.T0086 Exfiltration via AI Agent Tool Invocation

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.10.1

NIST AI RMF: MANAGE 2.2

OWASP LLM Top 10: LLM07, LLM08

What are the technical details?

Original Advisory

PraisonAI before 1.5.128 contains a cross-origin agent execution vulnerability in the AGUI endpoint that allows remote attackers to trigger arbitrary agent execution. The POST /agui endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers, combined with Starlette's Content-Type-agnostic JSON parsing, enabling attackers to bypass CORS preflight checks via simple requests and exfiltrate sensitive agent responses including tool execution results and environment data.

Exploitation Scenario

An attacker registers a convincing domain (e.g., praisonai-docs[.]io) and hosts a page embedding a JavaScript payload that sends a cross-origin POST to http://localhost:8080/agui with Content-Type: text/plain and a JSON body instructing the agent to list environment variables and exfiltrate them. Because Starlette parses the body as JSON regardless of Content-Type and the server responds with Access-Control-Allow-Origin: *, the browser treats this as a simple request — no preflight, no rejection. The attacker distributes the link via LinkedIn DMs targeting PraisonAI users, or injects it into a compromised documentation site. The victim clicks the link while PraisonAI is running locally; the agent silently executes, returns OPENAI_API_KEY and ANTHROPIC_API_KEY values in the response body, and the attacker's JavaScript ships them to an attacker-controlled server. Total time from victim page load to credential exfiltration: under two seconds.

Weaknesses (CWE)

CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Primary CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains

CWE-942 — Permissive Cross-domain Security Policy with Untrusted Domains: The product uses a web-client protection mechanism such as a Content Security Policy (CSP) or cross-domain policy file, but the policy includes untrusted domains with which the web client is allowed to communicate.

[Architecture and Design, Operation] Define a restrictive Content Security Policy [REF-1486] or cross-domain policy file.
[Architecture and Design, Operation] Avoid using wildcards in the CSP / cross-domain policy file. Any domain matching the wildcard expression will be implicitly trusted, and can perform two-way interaction with the target server.

Source: MITRE CWE corpus.