PraisonAI - Cross-Origin Agent Execution via Hardcoded Wildcard CORS and Missing Authentication on AGUI Endpoint

An attacker can exploit the AGUI endpoint by hosting a malicious website that a victim visits while the victim has a local AGUI server running. The attacker's JavaScript sends a POST request to `http://localhost:8000/agui` with `Content-Type: text/plain` — this is a CORS simple request, so no preflight OPTIONS check occurs. Starlette's JSON parser accepts the body regardless of Content-Type, so the agent executes the attacker's prompt with full tool capabilities. The hardcoded `Access-Control-Allow-Origin: *` header allows the browser to share the streaming response with the attacker's script, enabling exfiltration of tool outputs, file contents, environment variables, and other sensitive data. [ref_id=1]

The vulnerability is in `src/praisonai-agents/praisonaiagents/ui/agui/agui.py`. The `POST /agui` endpoint (line 124-125) lacks any authentication, and the `StreamingResponse` (lines 131-141) hardcodes `Access-Control-Allow-Origin: *` headers. The `RunAgentInput` model (defined in `types.py:159-165`) has no auth token or session validation field.

The recommended fix removes the hardcoded wildcard CORS headers from the `StreamingResponse` and instead makes CORS configurable via a new `allowed_origins` parameter, letting consumers use FastAPI's `CORSMiddleware` with specific origins. A Content-Type check is added as defense-in-depth to reject requests that do not include `application/json`, preventing the simple-request CORS bypass. Authentication support (e.g., an API key or bearer token dependency) should also be added so that cross-origin requests without valid credentials are rejected. [ref_id=1]