Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
Published: 2026-04-10
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Server Request Forgery that exposes internal network endpoints
Action: Immediate Patch
AI Analysis

Impact

PraisonAIAgents contains a flaw in its web_crawl function. Before version 1.5.128, the httpx fallback path accepted URLs supplied by a user without any host validation and performed HTTP GET requests with automatic redirect following. An LLM agent that is tricked into crawling a malicious internal URL can thereby retrieve the content of cloud metadata endpoints, internal services or localhost and have that content returned to the agent. Because the agent’s output may be shown to an external attacker, the vulnerability can leak sensitive internal information. The issue is a classic SSRF identified as CWE‑918.

Affected Systems

The affected product is PraisonAIAgents from MervinPraison. All releases older than 1.5.128 are vulnerable, including the default fresh installation path that uses httpx when no Tavily key or Crawl4AI is configured.

Risk and Exploitability

The CVSS score of 7.1 indicates a high risk of internal data exposure. No EPSS score is available, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires an attacker to supply a crafted URL that the agent will crawl; this can be done either directly via the web_crawl API or by leveraging the agent’s natural language abilities to request it. Once the request is made, the attacker can read data from the target internal endpoint without requiring additional privileges.

Generated by OpenCVE AI on April 10, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade PraisonAIAgents to version 1.5.128 or later, which implements host validation for web_crawl requests.
  • If an upgrade is not immediately possible, redirect the agent to use Tavily or install Crawl4AI so that the httpx fallback path is no longer exercised.
  • Limit the URLs that can be supplied to web_crawl to only external, trusted domains, or implement a whitelist validation layer.
  • Monitor agent logs for unexpected outbound requests to internal IP ranges such as 169.254.169.254 or localhost.

Generated by OpenCVE AI on April 10, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qq9r-63f6-v542 PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback
History

Mon, 20 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Praison
Praison praisonaiagents
CPEs cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
Vendors & Products Praison
Praison praisonaiagents
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Mon, 13 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Mervinpraison
Mervinpraison praisonaiagents
Vendors & Products Mervinpraison
Mervinpraison praisonaiagents

Fri, 10 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Description PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
Title PraisonAIAgents has SSRF via unvalidated URL in `web_crawl` httpx fallback
Weaknesses CWE-918
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:L/SA:N'}

Subscriptions

Mervinpraison Praisonaiagents
Praison Praisonaiagents
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-13T15:36:41.165Z

Reserved: 2026-04-09T19:31:56.014Z

Link: CVE-2026-40160

cve-icon Vulnrichment

Updated: 2026-04-13T15:25:04.679Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-10T17:17:13.950

Modified: 2026-04-20T20:17:49.560

Link: CVE-2026-40160

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T13:00:13Z

Weaknesses