Description
PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a blind SSRF attack.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
No advisories yet.
References
History
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a blind SSRF attack. | |
| Title | PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url | |
| First Time appeared |
Praison
Praison praisonai |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Praison
Praison praisonai |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T13:58:03.638Z
Reserved: 2026-07-08T12:14:28.344Z
Link: CVE-2026-60091
No data.
No data.
No data.
OpenCVE Enrichment
No data.
Weaknesses
-
CWE-918
Server-Side Request Forgery (SSRF)