3 matches found
PYSEC-2026-467 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
Summary praisonai browser start exposes the browser bridge on 0.0.0.0 by default, and its /ws endpoint accepts websocket clients that omit the Origin header entirely. An unauthenticated network client can connect as a fake controller, send startsession, cause the server to forward startautomation...
CVE-2026-40289 PraisonAI Browser Server allows unauthenticated WebSocket clients to hijack connected extension sessions
PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge praisonai browser start is vulnerable to unauthenticated remote session hijacking due to missing authentication and a bypassable origin check on its /ws WebSocket...
PT-2026-32594
Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.139 praisonaiagents versions prior to 1.5.140 Description The browser bridge is susceptible to unauthenticated remote session hijacking. This occurs due to a lack of authentication and a bypassable origin check ...