CVE-2026-40160
Server-Side Request Forgery in PraisonAIAgents Web Crawl Component
Publication date: 2026-04-10
Last updated on: 2026-04-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| praison | praisonaiagents | to 1.5.128 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40160 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the PraisonAI agents package, specifically in the `web_crawl` tool. The vulnerability occurs because the fallback HTTP client in `web_crawl` passes user-supplied URLs directly to the HTTP client without validating them. This means an attacker can trick the language model agent into crawling internal URLs, such as cloud metadata endpoints (e.g., 169.254.169.254), internal services, or localhost addresses.
Because the tool follows redirects and does not check the URL scheme or hostname, it can access sensitive internal resources. The content retrieved from these internal URLs is returned to the agent and may be exposed to the attacker, potentially leaking sensitive information like IAM credentials on cloud platforms.
This vulnerability is present in default PraisonAI installations where certain environment variables or packages are not set or installed, and it is fixed in version 1.5.128 by adding strict URL validation to block requests to private, loopback, or link-local IP addresses.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to access internal network resources without authentication by tricking the PraisonAI agent into making HTTP requests to internal services.
The attacker can retrieve sensitive information such as cloud instance metadata and IAM credentials, which may lead to unauthorized access to cloud resources or internal systems.
The impact is primarily a high confidentiality loss, as sensitive data can be exposed. There is no direct impact on the integrity or availability of the vulnerable system itself, but there may be integrity impacts on other systems if the leaked credentials are misused.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unexpected HTTP requests made by the PraisonAI agents, especially those targeting internal IP addresses such as 169.254.169.254 (cloud metadata endpoints), localhost, or other internal services.
You can check if the environment variable TAVILY_API_KEY is unset and if the crawl4ai package is not installed, as these conditions enable the vulnerable fallback HTTP client.
To detect exploitation attempts or the vulnerability in use, you can monitor network traffic for HTTP requests from PraisonAI agents to internal IP ranges or metadata endpoints.
- Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP requests to internal IPs: tcpdump -i <interface> 'dst net 169.254.0.0/16 or dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16'
- Check running PraisonAI processes and environment variables: env | grep TAVILY_API_KEY
- Inspect installed Python packages to verify if crawl4ai is installed: pip show crawl4ai
- Review logs or outputs of PraisonAI agents for evidence of fetched internal URLs or metadata content.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to upgrade PraisonAI agents to version 1.5.128 or later, where the vulnerability is fixed by adding strict URL validation in the web_crawl tool.
If upgrading immediately is not possible, ensure that the environment variable TAVILY_API_KEY is set and/or install the crawl4ai package, as these conditions disable the vulnerable fallback HTTP client.
Additionally, restrict network access from PraisonAI agents to internal IP ranges and cloud metadata endpoints at the firewall or network level to prevent SSRF exploitation.
- Upgrade PraisonAI agents to version 1.5.128 or later.
- Set the environment variable TAVILY_API_KEY to a valid key.
- Install the crawl4ai package to disable the fallback HTTP client.
- Implement network-level restrictions blocking outbound HTTP requests from PraisonAI agents to internal IP ranges such as 169.254.169.254, 127.0.0.1, and private IP blocks.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40160 allows attackers to access internal network resources and cloud metadata endpoints, potentially leaking sensitive information such as IAM credentials. This unauthorized exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access and disclosure of personal and sensitive information.
The vulnerability's impact on confidentiality and potential data leakage increases the risk of violating regulatory requirements related to data privacy and security.