Plattform
nodejs
Komponente
httpx
Behoben in
4.5.129
CVE-2026-40114 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PraisonAI, a multi-agent teams system. This flaw allows an unauthenticated attacker to manipulate the system into making HTTP POST requests to arbitrary destinations. The vulnerability impacts versions of PraisonAI before 4.5.128 and is resolved in version 4.5.128.
The SSRF vulnerability in PraisonAI poses a significant risk. An attacker can leverage this to send POST requests to internal services that are not directly accessible from the outside. This includes cloud metadata services (e.g., AWS EC2 instance metadata), internal APIs, and other network-adjacent resources. Successful exploitation could lead to unauthorized access to sensitive data, modification of configurations, or even complete compromise of the underlying infrastructure. The lack of authentication requirements for the webhook_url makes this vulnerability particularly concerning, as it can be exploited without any prior credentials.
CVE-2026-40114 was publicly disclosed on 2026-04-09. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog.
Organizations utilizing PraisonAI in cloud environments, particularly those relying on cloud metadata services for configuration or authentication, are at heightened risk. Shared hosting environments where multiple users share the same PraisonAI instance are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's actions.
• nodejs / server:
grep -r 'httpx.AsyncClient' /path/to/praisonaiproject/• generic web:
curl -I http://your-praisonaia-server/api/v1/runs | grep -i 'webhook_url'• generic web: Review access/error logs for unusual POST requests to internal IP addresses or cloud metadata endpoints.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-40114 is to upgrade PraisonAI to version 4.5.128 or later, which includes the necessary URL validation fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound HTTP requests and block those destined for potentially sensitive internal endpoints. Additionally, restrict network access to the PraisonAI server to only allow connections from trusted sources. Thoroughly review and restrict the permissions of the user account running the PraisonAI process to minimize potential damage if the vulnerability is exploited.
Aktualisieren Sie die Bibliothek httpx auf Version 4.5.128 oder höher, um die SSRF-Schwachstelle zu entschärfen. Dies beinhaltet die Validierung der URLs, die im Parameter webhook_url bereitgestellt werden, bevor HTTP-Anfragen durchgeführt werden.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-40114 is a Server-Side Request Forgery vulnerability in PraisonAI versions before 4.5.128, allowing attackers to make arbitrary HTTP POST requests.
You are affected if you are running PraisonAI versions prior to 4.5.128. Upgrade to the latest version to mitigate the risk.
Upgrade PraisonAI to version 4.5.128 or later. Consider WAF rules or network restrictions as temporary workarounds.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the PraisonAI project's official website or security advisory page for the latest information and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.