Plataforma
python
Componente
praisonai
Corrigido em
4.5.91
4.5.90
CVE-2026-34936 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in praisonai, a Python library. This flaw allows an attacker to manipulate the api_base parameter within the passthrough() and apassthrough() functions, bypassing security controls and potentially accessing internal resources. The vulnerability affects versions of praisonai up to and including 4.5.9, and a fix is available in version 4.5.90.
The SSRF vulnerability in praisonai allows an attacker to craft malicious requests that appear to originate from the server itself. This can lead to unauthorized access to internal services, data exfiltration, and potentially even remote code execution if the targeted internal service is vulnerable. An attacker could, for example, scan internal networks, access cloud metadata services, or interact with internal APIs without proper authentication. The lack of URL scheme validation and domain allowlisting significantly expands the potential attack surface, making it possible to target a wide range of internal resources.
CVE-2026-34936 was publicly disclosed on 2026-04-01. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for significant impact if exploited.
Applications and systems utilizing praisonai versions 4.5.9 and earlier are at risk. This includes deployments where praisonai is integrated into larger AI pipelines or used to interact with internal APIs. Shared hosting environments where multiple applications share the same server instance are particularly vulnerable, as a compromise of one application could potentially lead to the exploitation of this vulnerability in others.
• python / server:
import os
import subprocess
# Check praisonai version
result = subprocess.run(['pip', 'show', 'praisonai'], capture_output=True, text=True)
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version <= '4.5.9':
print('Vulnerability detected: praisonai version is vulnerable.')
else:
print('praisonai version is not vulnerable.')• generic web:
- Check for unusual outbound requests in server logs targeting internal IP addresses or sensitive endpoints.
- Monitor for requests to cloud metadata services (e.g., http://169.254.169.254/) originating from the praisonai application.
disclosure
Status do Exploit
EPSS
0.03% (percentil 9%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2026-34936 is to upgrade to praisonai version 4.5.90 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter outbound requests and block those targeting internal IP addresses or sensitive endpoints. Additionally, carefully review and restrict the permissions granted to the praisonai application to minimize the potential impact of a successful exploit. Monitor network traffic for unusual outbound requests originating from the praisonai application.
Atualize PraisonAI para a versão 4.5.90 ou superior para mitigar a vulnerabilidade de SSRF. Esta versão corrige a falta de validação de URL no parâmetro api_base, evitando que se realizem solicitações a hosts não autorizados.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2026-34936 is a Server-Side Request Forgery (SSRF) vulnerability affecting praisonai versions up to 4.5.9. It allows attackers to send requests to any reachable host from the server.
You are affected if you are using praisonai version 4.5.9 or earlier. Upgrade to 4.5.90 to mitigate the risk.
Upgrade to praisonai version 4.5.90 or later. As a temporary workaround, implement a WAF or proxy to filter outbound requests.
There are currently no known active exploits, but it is recommended to patch promptly due to the potential for significant impact.
Refer to the praisonai project's official channels (e.g., GitHub repository, mailing list) for the latest advisory and security updates.
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo requirements.txt e descubra na hora se você está afetado.