What happened
PraisonAI's POST /agui endpoint for the AG-UI protocol lacks any authentication and hardcodes a wildcard CORS policy (Access-Control-Allow-Origin: *). Because Starlette parses JSON regardless of Content-Type, attackers can craft simple cross-origin requests that bypass CORS preflight entirely, remotely triggering arbitrary agent execution and receiving sensitive response data. Published 2026-06-18, CVSS 8.1 HIGH.
Why it matters
Unauthenticated remote agent invocation is a critical agentic attack: any website can silently trigger agent runs against a victim's PraisonAI instance via cross-site request, exfiltrating tool execution results and environment variables without the user's knowledge. This is a real-world implementation of the cross-origin agent hijack attack class.
Attack vector
Remote attacker sends a crafted cross-origin POST request to the /agui endpoint. The endpoint lacks authentication and hardcodes Access-Control-Allow-Origin: * headers. Combined with Starlette's Content-Type-agnostic JSON parsing, attackers can bypass CORS preflight via simple requests (no preflight triggered), causing arbitrary agent execution and exfiltrating tool output including environment secrets.
Affected systems
PraisonAI < 1.5.128
Mitigation
Upgrade to PraisonAI 1.5.128 or later. Advisory: https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x462-jjpc-q4q4