PraisonAI patches unauthenticated WebSocket proxy credit drain
TL;DR — PraisonAI exposed an unauthenticated /media-stream WebSocket that opens a paid OpenAI Realtime session per connection, enabling internet-triggered resource exhaustion and API credit drain.
What happened
PraisonAI is a Python (PyPI) project that includes a FastAPI-based call module intended to broker Twilio media streams to the OpenAI Realtime API. A GitHub-reviewed advisory for CVE-2026-40116 reports that PraisonAI’s /media-stream WebSocket endpoint accepts connections from any client without authentication or Twilio signature validation, then immediately opens an authenticated OpenAI Realtime WebSocket session using the server’s OPENAI_API_KEY.
Per the advisory, there are no limits on concurrent connections, message rate, or message size, and uvicorn.run() is invoked without ws_max_size (defaulting to 16MB per message). The server also binds to 0.0.0.0 and can be exposed via ngrok (--public), making this a realistic internet-exposure footgun for teams prototyping voice / realtime AI features.
This is operationally high-leverage because it turns a single missing-auth WebSocket route into both an availability attack and a direct cost-exhaustion vector against the OpenAI account backing the service — a pattern that’s becoming increasingly common in “AI gateway” / “AI proxy” app architectures.
Who is impacted
- Deployments exposing PraisonAI’s FastAPI service where
/media-streamis reachable by untrusted clients (directly or via tunnels/proxies). - Environments where the service is configured with an active
OPENAI_API_KEY(each attacker connection can create a billed Realtime API session).
| Item | Source value |
|---|---|
| Affected package | PraisonAI (PyPI) |
| Vulnerable endpoint | @app.websocket("/media-stream") in src/praisonai/praisonai/api/call.py |
| Impact | Denial of service + paid API credit drain (per advisory) |
| Severity | CVSS v3.1 7.5 (High) (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| Affected versions | introduced: 0 to < 4.5.128 |
| Patched version | 4.5.128 |
| Weakness | CWE-770 (Allocation of Resources Without Limits or Throttling) |
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing (the advisory indicates the issue is fixed in
4.5.128). - Treat this as an exposure review item: confirm whether the service binds publicly (
0.0.0.0) and whether any tunneling (e.g., ngrok--public) or ingress rules expose/media-streambeyond trusted callers. - If you must run a vulnerable build temporarily, reduce blast radius consistent with the advisory’s fix themes:
- Restrict access to
/media-streamto trusted sources only (network policy / reverse proxy allowlists). - Enforce connection limits and rate limits at the edge (proxy/WAF) since the vulnerable endpoint accepts any WebSocket client.
- Restrict access to
- If abuse is suspected, investigate and contain the cost/availability impact:
- Review application logs for high connection churn and unusual WebSocket session counts (the advisory notes logs such as "Client connected").
- Rotate the
OPENAI_API_KEYused by the service and review provider-side usage/billing telemetry for anomalous Realtime activity.
"Add Twilio signature validation, connection limits, and rate limiting". "Additionally, pass
ws_max_sizeto uvicorn to limit individual message sizes".
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.