CVE-2026-56077: PraisonAI agent ID collision leaks

CISO Take

PraisonAI's MultiAgentLedger component fails to enforce agent ID uniqueness, allowing any low-privileged authenticated user to register a duplicate agent ID and silently inherit the ledger of an existing agent — exposing its system prompt and full conversation history. In multi-agent deployments, system prompts routinely encode proprietary business logic, embedded API credentials, operational personas, and compliance-sensitive instructions, making this a high-value reconnaissance target even in the absence of public exploit tooling. The CVSS confidentiality impact is rated High despite the Medium overall score, and with 112 prior CVEs in the same package the security posture of PraisonAI warrants structural scrutiny beyond this individual finding. Upgrade to version 1.5.115 or later immediately; if patching is delayed, enforce strict agent ID namespacing, audit registered agent IDs for collisions, and rotate any secrets embedded in system prompts of potentially affected agents.

Sources: NVD GitHub Advisory ATLAS

What is the risk?

Medium overall severity with a High confidentiality sub-score — a gap that CISOs should not normalize away. The attack requires only low privileges and no user interaction, meaning any internal user, compromised service account, or misconfigured API consumer can trivially exploit this. There is no EPSS data and no CISA KEV listing, suggesting no observed in-the-wild exploitation as of publication, but the technique is conceptually trivial: an attacker needs only to know or enumerate an existing agent ID, register a duplicate, and read the shared ledger. The 112 prior CVEs in PraisonAI signal systemic security debt in this package and justify treating any new disclosure with elevated scrutiny.

How does the attack unfold?

Reconnaissance

Attacker enumerates existing agent IDs in the target PraisonAI deployment via API calls, UI inspection, or internal documentation using low-privilege credentials.

AML.T0084

Agent ID Collision

Attacker registers a new agent using an identical ID to a high-value existing agent, exploiting the absent uniqueness enforcement in MultiAgentLedger.

AML.T0049

Ledger State Sharing

PraisonAI silently assigns the duplicate agent the same ledger instance as the original agent, merging their operational contexts without any alert or rejection.

AML.T0080

System Prompt and History Exfiltration

Attacker reads the shared ledger to extract the target agent's system prompt verbatim and its full conversation history, gaining access to proprietary instructions, embedded credentials, and processed user data.

AML.T0056

Reconnaissance

Attacker enumerates existing agent IDs in the target PraisonAI deployment via API calls, UI inspection, or internal documentation using low-privilege credentials.

AML.T0084

Agent ID Collision

Attacker registers a new agent using an identical ID to a high-value existing agent, exploiting the absent uniqueness enforcement in MultiAgentLedger.

AML.T0049

Ledger State Sharing

PraisonAI silently assigns the duplicate agent the same ledger instance as the original agent, merging their operational contexts without any alert or rejection.

AML.T0080

System Prompt and History Exfiltration

Attacker reads the shared ledger to extract the target agent's system prompt verbatim and its full conversation history, gaining access to proprietary instructions, embedded credentials, and processed user data.

AML.T0056

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
PraisonAI	pip	—	No patch
1 dependents 83% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

Patch immediately: upgrade PraisonAI to ≥1.5.115 where agent ID uniqueness enforcement is applied.
If patching is blocked, audit all registered agent IDs via the framework's agent registry for existing collisions and terminate any duplicate registrations.
Rotate API keys, credentials, and any sensitive values currently embedded in system prompts of agents that may have been targeted.
Review agent registration logs for anomalous duplicate ID registrations as an indicator of exploitation.
Apply least-privilege controls: restrict which users and services are authorized to register new agents in production PraisonAI instances.
Externalize secrets from system prompts entirely — inject sensitive values at runtime via a secrets manager rather than embedding them in the prompt string.

How is it classified?

Data Leakage Data Extraction Privacy Violation Agent Framework AML.T0049 - Exploit Public-Facing Application AML.T0056 - Extract LLM System Prompt AML.T0057 - LLM Data Leakage AML.T0084 - Discover AI Agent Configuration AML.T0085 - Data from AI Services

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 9 - Risk management system

ISO 42001

A.6.2 - AI system risk management

NIST AI RMF

PROTECT-1.1 - AI system access controls

OWASP LLM Top 10

LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is CVE-2026-56077?

PraisonAI's MultiAgentLedger component fails to enforce agent ID uniqueness, allowing any low-privileged authenticated user to register a duplicate agent ID and silently inherit the ledger of an existing agent — exposing its system prompt and full conversation history. In multi-agent deployments, system prompts routinely encode proprietary business logic, embedded API credentials, operational personas, and compliance-sensitive instructions, making this a high-value reconnaissance target even in the absence of public exploit tooling. The CVSS confidentiality impact is rated High despite the Medium overall score, and with 112 prior CVEs in the same package the security posture of PraisonAI warrants structural scrutiny beyond this individual finding. Upgrade to version 1.5.115 or later immediately; if patching is delayed, enforce strict agent ID namespacing, audit registered agent IDs for collisions, and rotate any secrets embedded in system prompts of potentially affected agents.

Is CVE-2026-56077 actively exploited?

No confirmed active exploitation of CVE-2026-56077 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-56077?

1. Patch immediately: upgrade PraisonAI to ≥1.5.115 where agent ID uniqueness enforcement is applied. 2. If patching is blocked, audit all registered agent IDs via the framework's agent registry for existing collisions and terminate any duplicate registrations. 3. Rotate API keys, credentials, and any sensitive values currently embedded in system prompts of agents that may have been targeted. 4. Review agent registration logs for anomalous duplicate ID registrations as an indicator of exploitation. 5. Apply least-privilege controls: restrict which users and services are authorized to register new agents in production PraisonAI instances. 6. Externalize secrets from system prompts entirely — inject sensitive values at runtime via a secrets manager rather than embedding them in the prompt string.

What systems are affected by CVE-2026-56077?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, multi-agent orchestration, agentic AI pipelines.

What is the CVSS score for CVE-2026-56077?

CVE-2026-56077 has a CVSS v3.1 base score of 6.5 (MEDIUM).

What is the AI security impact?

Affected AI Architectures

agent frameworksmulti-agent orchestrationagentic AI pipelines

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application

AML.T0056 Extract LLM System Prompt

AML.T0057 LLM Data Leakage

AML.T0084 Discover AI Agent Configuration

AML.T0085 Data from AI Services

Compliance Controls Affected

EU AI Act: Art. 9

ISO 42001: A.6.2

NIST AI RMF: PROTECT-1.1

OWASP LLM Top 10: LLM06

What are the technical details?

Original Advisory

PraisonAI before 1.5.115 contains an information disclosure vulnerability in the MultiAgentLedger component that allows attackers to access sensitive data by registering agents with duplicate IDs. Attackers can exploit the lack of agent ID uniqueness enforcement to share ledger instances and expose system prompts and conversation history between agents.

Exploitation Scenario

An attacker holding a low-privilege account on a PraisonAI deployment — a junior developer, a compromised CI/CD service account, or a malicious insider — enumerates existing agent IDs through API calls or internal documentation. The attacker identifies a high-value target: a compliance agent whose system prompt references internal policy documents and vendor API keys, or a customer-facing agent whose ledger accumulates PII. The attacker registers a new agent using the identical ID. PraisonAI's MultiAgentLedger, lacking uniqueness enforcement, assigns the same ledger instance to both agents. The attacker queries the shared ledger and extracts the target agent's system prompt verbatim and its full conversation history — including all sensitive data processed by that agent — without triggering security alerts or requiring elevated permissions.

Weaknesses (CWE)

CWE-668 Exposure of Resource to Wrong Sphere Primary CWE-668 Exposure of Resource to Wrong Sphere

CWE-668 — Exposure of Resource to Wrong Sphere: The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Source: MITRE CWE corpus.