AgentOS remains unauthenticated after GHSA-pm96 patched version and allows remote agent invocation

Summary

PraisonAI's AgentOS FastAPI deployment surface remains unauthenticated in current main and in releases after the published patched version for GHSA-pm96-6xpr-978x / CVE-2026-40151.

The public AgentOS advisory is published as an instruction-disclosure issue with affected versions < 4.5.128 and patched version 4.5.128. However, v4.5.128, latest release v4.6.57, and current main still register GET /api/agents and POST /api/chat without authentication. The chat route directly calls agent.chat(request.message). No-auth and wrong-bearer requests both execute the deployed agent.

This is broader than passive metadata disclosure. In any deployment where AgentOS wraps agents with tools, private context, memory, API integrations, or cost-bearing model calls, an unauthenticated reachable client can drive those agents.

Affected Product

• Repository: MervinPraison/PraisonAI
• Package: praisonai
• Component: src/praisonai/praisonai/app/agentos.py
• Config component: src/praisonai-agents/praisonaiagents/app/config.py
• Public advisory incomplete-fix reference: GHSA-pm96-6xpr-978x / CVE-2026-40151

Confirmed affected dynamically:

• v4.5.126
• v4.5.128 (published patched version for GHSA-pm96-6xpr-978x)
• v4.6.9
• v4.6.10
• v4.6.56
• v4.6.57
• current main 2f9677abb2ea68eab864ee8b6a828fd0141612e1

Static source review found the same unauthenticated route pattern and 0.0.0.0 default in v4.2.1.

Suggested affected range: `>= 4.2.1,