Plataforma
nodejs
Componente
httpx
Corregido en
4.5.129
CVE-2026-40114 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in PraisonAI, a multi-agent teams system. This flaw allows an unauthenticated attacker to manipulate the system into making HTTP POST requests to arbitrary destinations. The vulnerability impacts versions of PraisonAI before 4.5.128 and is resolved in version 4.5.128.
The SSRF vulnerability in PraisonAI poses a significant risk. An attacker can leverage this to send POST requests to internal services that are not directly accessible from the outside. This includes cloud metadata services (e.g., AWS EC2 instance metadata), internal APIs, and other network-adjacent resources. Successful exploitation could lead to unauthorized access to sensitive data, modification of configurations, or even complete compromise of the underlying infrastructure. The lack of authentication requirements for the webhook_url makes this vulnerability particularly concerning, as it can be exploited without any prior credentials.
CVE-2026-40114 was publicly disclosed on 2026-04-09. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog.
Organizations utilizing PraisonAI in cloud environments, particularly those relying on cloud metadata services for configuration or authentication, are at heightened risk. Shared hosting environments where multiple users share the same PraisonAI instance are also vulnerable, as an attacker could potentially exploit the vulnerability through another user's actions.
• nodejs / server:
grep -r 'httpx.AsyncClient' /path/to/praisonaiproject/• generic web:
curl -I http://your-praisonaia-server/api/v1/runs | grep -i 'webhook_url'• generic web: Review access/error logs for unusual POST requests to internal IP addresses or cloud metadata endpoints.
disclosure
Estado del Exploit
EPSS
0.03% (10% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-40114 is to upgrade PraisonAI to version 4.5.128 or later, which includes the necessary URL validation fix. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or proxy to filter outbound HTTP requests and block those destined for potentially sensitive internal endpoints. Additionally, restrict network access to the PraisonAI server to only allow connections from trusted sources. Thoroughly review and restrict the permissions of the user account running the PraisonAI process to minimize potential damage if the vulnerability is exploited.
Actualice la biblioteca httpx a la versión 4.5.128 o superior para mitigar la vulnerabilidad de SSRF. Esto implica validar las URLs proporcionadas en el parámetro webhook_url antes de realizar solicitudes HTTP.
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-40114 is a Server-Side Request Forgery vulnerability in PraisonAI versions before 4.5.128, allowing attackers to make arbitrary HTTP POST requests.
You are affected if you are running PraisonAI versions prior to 4.5.128. Upgrade to the latest version to mitigate the risk.
Upgrade PraisonAI to version 4.5.128 or later. Consider WAF rules or network restrictions as temporary workarounds.
While no active exploitation has been publicly confirmed, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the PraisonAI project's official website or security advisory page for the latest information and updates.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.