GHSA-F292-66H9-FPMF
Vulnerability from github – Published: 2026-04-08 19:21 – Updated: 2026-04-09 14:29The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.
The create_a2u_routes() function registers the following endpoints with NO authentication checks: - GET /a2u/info — exposes server info and stream names - POST /a2u/subscribe — creates event stream subscription - GET /a2u/events/{stream_name} — streams ALL agent events - GET /a2u/events/sub/{id} — streams events for subscription - GET /a2u/health — health check
An unauthenticated attacker can: 1. POST /a2u/subscribe → receive subscription_id 2. GET /a2u/events/sub/{subscription_id} → receive live SSE stream of all agent events including responses, tool calls, and thinking
This exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker.
[1] POST /a2u/subscribe (no auth token) Status: 200 Response: {"subscription_id":"sub-a1ad8a6edd8b","stream_name":"events", "stream_url":"http://testserver/a2u/events/sub-a1ad8a6edd8b"} Got subscription_id: sub-a1ad8a6edd8b
[2] GET /a2u/info (no auth token) Status: 200 Response: {"name":"A2U Event Stream","version":"1.0.0", "streams":["events"],"event_types":["agent.started","agent.thinking", "agent.tool_call","agent.response","agent.completed","agent.error"]}
[3] GET /a2u/health (no auth token)
Status: 200
Response: {"status":"healthy","active_subscriptions":1,"active_streams":1}
Impact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.5.114"
},
"package": {
"ecosystem": "PyPI",
"name": "praisonai"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.115"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39889"
],
"database_specific": {
"cwe_ids": [
"CWE-200"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T19:21:14Z",
"nvd_published_at": "2026-04-08T21:17:01Z",
"severity": "HIGH"
},
"details": "The A2U (Agent-to-User) event stream server in PraisonAI exposes all agent activity without authentication. This is a separate component from the gateway server fixed in CVE-2026-34952.\n\nThe create_a2u_routes() function registers the following endpoints with NO authentication checks:\n- GET /a2u/info \u2014 exposes server info and stream names\n- POST /a2u/subscribe \u2014 creates event stream subscription\n- GET /a2u/events/{stream_name} \u2014 streams ALL agent events\n- GET /a2u/events/sub/{id} \u2014 streams events for subscription\n- GET /a2u/health \u2014 health check\n\n\nAn unauthenticated attacker can:\n1. POST /a2u/subscribe \u2192 receive subscription_id\n2. GET /a2u/events/sub/{subscription_id} \u2192 receive live SSE stream \n of all agent events including responses, tool calls, and thinking\n\nThis exposes sensitive agent activity including responses, internal reasoning, and tool call arguments to any network attacker.\n\n\u003cimg width=\"1512\" height=\"947\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3438f3ea-75ec-4978-9dd9-d9a6da42c248\" /\u003e\n\n\u003cimg width=\"1512\" height=\"571\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ee3313f6-f522-48f7-9c06-e5e265c6aeb4\" /\u003e\n\n\n[1] POST /a2u/subscribe (no auth token)\n Status: 200\n Response: {\"subscription_id\":\"sub-a1ad8a6edd8b\",\"stream_name\":\"events\",\n \"stream_url\":\"http://testserver/a2u/events/sub-a1ad8a6edd8b\"}\n Got subscription_id: sub-a1ad8a6edd8b\n\n[2] GET /a2u/info (no auth token)\n Status: 200\n Response: {\"name\":\"A2U Event Stream\",\"version\":\"1.0.0\",\n \"streams\":[\"events\"],\"event_types\":[\"agent.started\",\"agent.thinking\",\n \"agent.tool_call\",\"agent.response\",\"agent.completed\",\"agent.error\"]}\n\n[3] GET /a2u/health (no auth token) \n Status: 200\n Response: {\"status\":\"healthy\",\"active_subscriptions\":1,\"active_streams\":1}\n\n\nImpact: Attacker can subscribe and receive ALL agent events including responses, tool calls, and internal reasoning in real-time",
"id": "GHSA-f292-66h9-fpmf",
"modified": "2026-04-09T14:29:15Z",
"published": "2026-04-08T19:21:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39889"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.115"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI Has Unauthenticated SSE Event Stream that Exposes All Agent Activity in A2U Server"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.