The PraisonAI Gateway is vulnerable to unauthenticated access, allowing any network client to enumerate AI agents and send arbitrary commands to their tool sets.

The gateway server exposes agent topology at /info and accepts WebSocket connections at /ws without any authentication. This allows unauthenticated attackers to discover all registered agents and inject arbitrary messages into the agent communication stream.

An attacker can hijack AI workflows, exfiltrate data from agent interactions, or trigger unauthorized actions through the agents' tool sets. The CVSS score of 9.1 reflects the critical risk of unauthenticated control over automated AI systems, which may have access to sensitive corporate resources.

Immediate Action: Update the PraisonAI Gateway to version 4.5.97 or later, which implements the necessary authentication checks for these endpoints.

Proactive Monitoring: Monitor WebSocket connection logs for unauthorized IP addresses and audit agent activity for unexpected or anomalous tool executions.

Compensating Controls: Place the PraisonAI Gateway behind a VPN or use a reverse proxy to enforce authentication before requests reach the /ws and /info endpoints.

Public Exploit Available: false

Securing AI infrastructure is critical as these systems are increasingly integrated into business processes. Organizations using PraisonAI must update to version 4.5.97 immediately to prevent unauthorized actors from controlling their AI agents. Ensure that all management endpoints are strictly authenticated and not exposed to the open internet.