Auth bypass in Mervinpraison Praisonai
CVE-2026-61436
PraisonAI before 4.6.78 fails to verify Svix webhook signatures in AgentMail webhook mode, allowing unauthenticated attackers to forge message.received events. Attackers can send crafted JSON payloads to the webhook endpoint to invoke conf…
Vulnerability class: Broken Authentication
CVSS v3 metric
CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L.
Affected products
- Mervinpraison Praisonai — versions 0, 4.6.78
Weakness classification (CWE)
References
- disclosure@vulncheck.com (vendor-advisory)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (patch)
- disclosure@vulncheck.com (third-party-advisory)
Frequently asked questions
- What is CVE-2026-61436?
- CVE-2026-61436 is a high-severity vulnerability in Mervinpraison Praisonai, classified under Improper Authentication. CVSS score: 8.6/10. Published 2026-07-15.
- How severe is CVE-2026-61436?
- High severity. CVSS v3 base score is 8.6 out of 10.