CVE-2026-40160
Received Received - Intake
Server-Side Request Forgery in PraisonAIAgents Web Crawl Component

Publication date: 2026-04-10

Last updated on: 2026-04-20

Assigner: GitHub, Inc.

Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-10
Last Modified
2026-04-20
Generated
2026-06-16
AI Q&A
2026-04-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-40160
EUVD
EUVD-2026-21513
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
praison praisonaiagents to 1.5.128 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-40160 allows attackers to access internal network resources and cloud metadata endpoints, potentially leaking sensitive information such as IAM credentials. This unauthorized exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to prevent unauthorized access and disclosure of personal and sensitive information.

The vulnerability's impact on confidentiality and potential data leakage increases the risk of violating regulatory requirements related to data privacy and security.

Executive Summary

CVE-2026-40160 is a high-severity Server-Side Request Forgery (SSRF) vulnerability in the PraisonAI agents package, specifically in the `web_crawl` tool. The vulnerability occurs because the fallback HTTP client in `web_crawl` passes user-supplied URLs directly to the HTTP client without validating them. This means an attacker can trick the language model agent into crawling internal URLs, such as cloud metadata endpoints (e.g., 169.254.169.254), internal services, or localhost addresses.

Because the tool follows redirects and does not check the URL scheme or hostname, it can access sensitive internal resources. The content retrieved from these internal URLs is returned to the agent and may be exposed to the attacker, potentially leaking sensitive information like IAM credentials on cloud platforms.

This vulnerability is present in default PraisonAI installations where certain environment variables or packages are not set or installed, and it is fixed in version 1.5.128 by adding strict URL validation to block requests to private, loopback, or link-local IP addresses.

Impact Analysis

This vulnerability can allow an attacker to access internal network resources without authentication by tricking the PraisonAI agent into making HTTP requests to internal services.

The attacker can retrieve sensitive information such as cloud instance metadata and IAM credentials, which may lead to unauthorized access to cloud resources or internal systems.

The impact is primarily a high confidentiality loss, as sensitive data can be exposed. There is no direct impact on the integrity or availability of the vulnerable system itself, but there may be integrity impacts on other systems if the leaked credentials are misused.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected HTTP requests made by the PraisonAI agents, especially those targeting internal IP addresses such as 169.254.169.254 (cloud metadata endpoints), localhost, or other internal services.

You can check if the environment variable TAVILY_API_KEY is unset and if the crawl4ai package is not installed, as these conditions enable the vulnerable fallback HTTP client.

To detect exploitation attempts or the vulnerability in use, you can monitor network traffic for HTTP requests from PraisonAI agents to internal IP ranges or metadata endpoints.

  • Use network monitoring tools (e.g., tcpdump, Wireshark) to filter HTTP requests to internal IPs: tcpdump -i <interface> 'dst net 169.254.0.0/16 or dst net 127.0.0.0/8 or dst net 10.0.0.0/8 or dst net 192.168.0.0/16'
  • Check running PraisonAI processes and environment variables: env | grep TAVILY_API_KEY
  • Inspect installed Python packages to verify if crawl4ai is installed: pip show crawl4ai
  • Review logs or outputs of PraisonAI agents for evidence of fetched internal URLs or metadata content.
Mitigation Strategies

The primary mitigation is to upgrade PraisonAI agents to version 1.5.128 or later, where the vulnerability is fixed by adding strict URL validation in the web_crawl tool.

If upgrading immediately is not possible, ensure that the environment variable TAVILY_API_KEY is set and/or install the crawl4ai package, as these conditions disable the vulnerable fallback HTTP client.

Additionally, restrict network access from PraisonAI agents to internal IP ranges and cloud metadata endpoints at the firewall or network level to prevent SSRF exploitation.

  • Upgrade PraisonAI agents to version 1.5.128 or later.
  • Set the environment variable TAVILY_API_KEY to a valid key.
  • Install the crawl4ai package to disable the fallback HTTP client.
  • Implement network-level restrictions blocking outbound HTTP requests from PraisonAI agents to internal IP ranges such as 169.254.169.254, 127.0.0.1, and private IP blocks.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40160. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart