What is CVE-2026-40289?

CVE-2026-40289 is a critical-severity vulnerability in Mervinpraison Praisonai, classified under Missing Authentication for Critical Function. CVSS score: 9.1/10. Published 2026-04-14.

How severe is CVE-2026-40289?

Critical severity. CVSS v3 base score is 9.1 out of 10.

Auth bypass in Mervinpraison Praisonai

CVE-2026-40289

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote session hijacking due to missing authentic…

Vulnerability class: Broken Authentication

EPSS: 0.001 (22.3th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.1 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N.

Affected products

Mervinpraison Praisonai — versions < 4.5.139
Mervinpraison Praisonaiagents — versions < 1.5.140

Weakness classification (CWE)

CWE-306 — Missing Authentication for Critical Function

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8x8f-54wf-vv92 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-40289?: CVE-2026-40289 is a critical-severity vulnerability in Mervinpraison Praisonai, classified under Missing Authentication for Critical Function. CVSS score: 9.1/10. Published 2026-04-14.
How severe is CVE-2026-40289?: Critical severity. CVSS v3 base score is 9.1 out of 10.