CVE-2026-40114

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 4.5.128

Description PraisonAI is a multi-agent teams system. The /api/v1/runs endpoint accepts an arbitrary webhook url in the request body without URL validation. Upon job completion (success or failure), the server sends an HTTP POST request to this URL using httpx.AsyncClient. This allows an unauthenticated attacker to make the server send POST requests to arbitrary internal or external destinations, potentially enabling Server-Side Request Forgery (SSRF) against cloud metadata services, internal APIs, and other network-adjacent services.

Recommendations Update PraisonAI to version 4.5.128 or later.