Description
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Published: 2026-04-03
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side request forgery exposing internal hosts
Action: Immediate Patch
AI Analysis

Impact

PraisonAI’s FileTools.download_file() validates the file path but not the URL argument, passing it directly to httpx.stream() with redirects enabled. This flaw permits an attacker that can specify the URL to trigger outbound HTTP(S) requests from the PraisonAI server to any host reachable from that environment, including cloud metadata endpoints and internal network services. The resulting information disclosure or remote code execution depends on the target service’s exposure and could compromise confidentiality and potentially integrity of internal resources.

Affected Systems

The vulnerability affects the MervinPraison PraisonAI product, specifically the praisonaiagents component in all releases before 1.5.95. Users running any older version are susceptible; the issue is safely resolved in version 1.5.95 and later.

Risk and Exploitability

With a CVSS base score of 8.6, the flaw is high severity. The EPSS score of less than 1 % suggests a low probability of near‑future exploitation, and it is not listed in the CISA KEV catalog. The likely attack vector requires an adversary to supply a crafted URL to FileTools.download_file(); if the function is exposed via an API or internal workflow, the server can be compelled to contact arbitrary endpoints, including sensitive metadata services. Exploitation is straightforward, relying only on the ability to control the URL parameter and the server’s outbound network reachability.

Generated by OpenCVE AI on April 13, 2026 at 21:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official patch by upgrading PraisonAI to version 1.5.95 or later.
  • If upgrading is not immediately possible, block outbound traffic from the PraisonAI server to known internal and metadata endpoints using firewall rules or network segmentation.
  • As a temporary workaround, restrict or disable the use of FileTools.download_file() in non‑trusted contexts and audit incoming URLs to ensure they target only allowed external hosts.

Generated by OpenCVE AI on April 13, 2026 at 21:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-44c2-3rw4-5gvh PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
History

Mon, 13 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
Vendors & Products Praison praisonai
Praison praisonaiagents

Thu, 09 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonai
CPEs cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonai

Tue, 07 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonai
Vendors & Products Mervinpraison
Mervinpraison praisonai

Mon, 06 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 04 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Title PraisonAI: SSRF in FileTools.download_file() via Unvalidated URL
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N'}

Subscriptions

Mervinpraison Praisonai
Praison Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-06T13:23:09.832Z

Reserved: 2026-03-31T17:27:08.661Z

Link: CVE-2026-34954

cve-icon Vulnrichment

Updated: 2026-04-06T13:23:04.633Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-03T23:17:06.810

Modified: 2026-04-13T18:46:18.453

Link: CVE-2026-34954

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:41:18Z

Weaknesses