Ghostwire

CVE-2026-61426: PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key...

HIGH CVSS 8.6 Exploit Available

Published: July 11, 2026 | Last Modified: July 11, 2026

Description

PraisonAI before 1.7.3 contains an insecure default configuration that binds to all interfaces with no API key requirement and wildcard CORS. Unauthenticated attackers can call GET /api/agents to read agent instructions and system prompts, or POST /api/chat to invoke agents without authentication.

Ghostwire Analysis — What This Means Practically

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

References