平台
python
组件
praisonai
修复版本
4.5.91
4.5.90
CVE-2026-34936 describes a Server-Side Request Forgery (SSRF) vulnerability discovered in praisonai, a Python library. This flaw allows an attacker to manipulate the api_base parameter within the passthrough() and apassthrough() functions, bypassing security controls and potentially accessing internal resources. The vulnerability affects versions of praisonai up to and including 4.5.9, and a fix is available in version 4.5.90.
The SSRF vulnerability in praisonai allows an attacker to craft malicious requests that appear to originate from the server itself. This can lead to unauthorized access to internal services, data exfiltration, and potentially even remote code execution if the targeted internal service is vulnerable. An attacker could, for example, scan internal networks, access cloud metadata services, or interact with internal APIs without proper authentication. The lack of URL scheme validation and domain allowlisting significantly expands the potential attack surface, making it possible to target a wide range of internal resources.
CVE-2026-34936 was publicly disclosed on 2026-04-01. Currently, there are no known public proof-of-concept exploits available. The EPSS score is pending evaluation. It is recommended to prioritize patching due to the potential for significant impact if exploited.
Applications and systems utilizing praisonai versions 4.5.9 and earlier are at risk. This includes deployments where praisonai is integrated into larger AI pipelines or used to interact with internal APIs. Shared hosting environments where multiple applications share the same server instance are particularly vulnerable, as a compromise of one application could potentially lead to the exploitation of this vulnerability in others.
• python / server:
import os
import subprocess
# Check praisonai version
result = subprocess.run(['pip', 'show', 'praisonai'], capture_output=True, text=True)
version = result.stdout.split('Version: ')[1].split('\n')[0]
if version <= '4.5.9':
print('Vulnerability detected: praisonai version is vulnerable.')
else:
print('praisonai version is not vulnerable.')• generic web:
- Check for unusual outbound requests in server logs targeting internal IP addresses or sensitive endpoints.
- Monitor for requests to cloud metadata services (e.g., http://169.254.169.254/) originating from the praisonai application.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34936 is to upgrade to praisonai version 4.5.90 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy to filter outbound requests and block those targeting internal IP addresses or sensitive endpoints. Additionally, carefully review and restrict the permissions granted to the praisonai application to minimize the potential impact of a successful exploit. Monitor network traffic for unusual outbound requests originating from the praisonai application.
Actualice PraisonAI a la versión 4.5.90 o superior para mitigar la vulnerabilidad de SSRF. Esta versión corrige la falta de validación de URL en el parámetro api_base, evitando que se realicen solicitudes a hosts no autorizados.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34936 is a Server-Side Request Forgery (SSRF) vulnerability affecting praisonai versions up to 4.5.9. It allows attackers to send requests to any reachable host from the server.
You are affected if you are using praisonai version 4.5.9 or earlier. Upgrade to 4.5.90 to mitigate the risk.
Upgrade to praisonai version 4.5.90 or later. As a temporary workaround, implement a WAF or proxy to filter outbound requests.
There are currently no known active exploits, but it is recommended to patch promptly due to the potential for significant impact.
Refer to the praisonai project's official channels (e.g., GitHub repository, mailing list) for the latest advisory and security updates.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 requirements.txt 文件,立即知道是否受影响。