CVE-2026-40115 | THREATINT

Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the WSGI-based recipe registry server (server.py) reads the entire HTTP request body into memory based on the client-supplied Content-Length header with no upper bound. Combined with authentication being disabled by default (no token configured), any local process can send arbitrarily large POST requests to exhaust server memory and cause a denial of service. The Starlette-based server (serve.py) has RequestSizeLimitMiddleware with a 10MB limit, but the WSGI server lacks any equivalent protection. This vulnerability is fixed in 4.5.128.

PUBLISHED Reserved 2026-04-09 | Published 2026-04-09 | Updated 2026-04-13 | Assigner GitHub_M

MEDIUM: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Problem types

CWE-770: Allocation of Resources Without Limits or Throttling

Product status

< 4.5.128

affected

References

github.com/...isonAI/security/advisories/GHSA-2xgv-5cv2-47vv exploit

github.com/...isonAI/security/advisories/GHSA-2xgv-5cv2-47vv

cve.org (CVE-2026-40115)

nvd.nist.gov (CVE-2026-40115)

Download JSON