GHSA-x462-jjpc-q4q4: PraisonAI: Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint
The AGUI endpoint (POST /agui) has no authentication and hardcodes Access-Control-Allow-Origin: * on all responses. Combined with Starlette/FastAPI’s Content-Type-agnostic JSON parsing, any website a victim visits can silently trigger arbitrary agent execution against a locally-running AGUI server and read the full response, including tool execution results and potentially sensitive data from the victim’s environment.
References
Code Behaviors & Features
Detect and mitigate GHSA-x462-jjpc-q4q4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →