Plattform
python
Komponente
praisonai
Behoben in
4.5.91
4.5.90
CVE-2026-34936 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in praisonai, a Python library. This flaw allows an attacker to manipulate the api_base parameter within the passthrough() and apassthrough() functions, bypassing security controls and potentially accessing internal resources. The vulnerability affects versions of praisonai up to and including 4.5.9, and a fix is available in version 4.5.90.
The SSRF vulnerability in praisonai allows an attacker to craft malicious requests that appear to originate from the server itself. This can lead to unauthorized access to internal services, data exfiltration, and potentially even remote code execution if the targeted internal service is vulnerable. An attacker could, for example, scan internal networks for open ports, access sensitive configuration files, or interact with internal APIs without proper authentication. The blast radius extends to any service reachable from the praisonai server, potentially impacting critical infrastructure and sensitive data.
This vulnerability was publicly disclosed on 2026-04-01. There is no indication of this vulnerability being actively exploited at this time. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems utilizing praisonai versions 4.5.9 and earlier are at risk. This includes deployments where praisonai is integrated into larger AI pipelines or used to interact with internal APIs. Shared hosting environments where multiple applications share the same server instance are particularly vulnerable, as a compromise of one application could potentially lead to the exploitation of this vulnerability in others.
• python / server:
import os
import subprocess
# Check praisonai version
result = subprocess.run(['pip', 'show', 'praisonai'], capture_output=True, text=True)
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version <= '4.5.9':
print('Vulnerability detected: praisonai version is vulnerable.')
else:
print('praisonai version is not vulnerable.')• generic web:
- Check for unusual outbound requests in server logs targeting internal IP addresses or sensitive endpoints.
- Monitor for requests to cloud metadata services (e.g., http://169.254.169.254/) originating from the praisonai application.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34936 is to upgrade to praisonai version 4.5.90 or later, which includes the necessary URL validation and filtering to prevent SSRF attacks. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to block requests containing suspicious URLs or patterns. Additionally, restrict network access to the praisonai server to only allow connections to necessary internal services. Monitor logs for unusual outbound requests originating from the praisonai server. After upgrade, confirm the fix by attempting a request with a clearly malicious URL (e.g., http://127.0.0.1:8080) and verifying that it is blocked.
Aktualisieren Sie PraisonAI auf Version 4.5.90 oder höher, um die SSRF-Schwachstelle zu beheben. Diese Version behebt das Fehlen der URL-Validierung im api_base-Parameter, wodurch verhindert wird, dass Anfragen an nicht autorisierte Hosts gesendet werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34936 is a Server-Side Request Forgery (SSRF) vulnerability affecting praisonai versions up to 4.5.9. It allows attackers to send requests to any reachable host from the server.
You are affected if you are using praisonai version 4.5.9 or earlier. Upgrade to 4.5.90 to mitigate the risk.
Upgrade to praisonai version 4.5.90 or later. As a temporary workaround, implement a WAF or proxy to filter outbound requests.
There are currently no known active exploits, but it is recommended to patch promptly due to the potential for significant impact.
Refer to the praisonai project's official channels (e.g., GitHub repository, mailing list) for the latest advisory and security updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.