PraisonAI AgentOS Unauthenticated Information Disclosure Vulnerability

A vulnerability in the AgentOS deployment platform of PraisonAI, prior to version 4.5.128, allows unauthenticated access to agent information through the GET /api/agents endpoint. This endpoint discloses agent names, roles, and the first 100 characters of their system instructions. The issue arises because the FastAPI application lacks authentication middleware, API key validation, and is configured to allow cross-origin requests from any origin. As a result, any network-accessible deployment can be queried for sensitive agent information.

Impact

Exploitation of this vulnerability leads to unauthorized disclosure of agent instructions, which may contain proprietary business logic, internal API references, and other confidential information. The vulnerability also allows for cross-origin exfiltration of agent data from any website, due to the permissive CORS configuration.

Reproduction

The vulnerability can be reproduced by sending a GET request to the /api/agents endpoint. This can be done using curl or any HTTP client, without the need for authentication. The response will include the names, roles, and truncated instructions of all agents. Additionally, the /api/chat endpoint can be used to extract full instructions by injecting a prompt that requests the complete system instructions, bypassing the 100-character limit.

Remediation

Users are advised to update to PraisonAI version 4.5.128 or later. For versions prior to 4.5.128, it is recommended to implement API key authentication and restrict CORS origins to trusted domains.