CVE-2026-40160

Name of the Vulnerable Software and Affected Versions PraisonAIAgents versions prior to 1.5.128

Description PraisonAIAgents, a multi-agent team system, had a Server-Side Request Forgery (SSRF) issue in the web crawl tool's httpx fallback path. This path directly passed user-supplied URLs to httpx.AsyncClient.get() with follow redirects=True and without host validation. An LLM agent tricked into crawling an internal URL could reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content was returned to the agent and could be visible to an attacker. This fallback was the default crawl path on a fresh PraisonAI installation without a Tavily key or Crawl4AI installed. The vulnerable code resides in src/praisonai-agents/praisonaiagents/tools/web crawl tools.py:133-180. The issue stemmed from the lack of scheme restriction, hostname resolution, or private/link-local IP checks, combined with follow redirects=True, allowing attackers to use open redirects to access internal networks. Exploitation could occur through direct agent interaction or indirect prompt injection via hidden instructions on crawled pages. Successful exploitation could expose IAM credentials on cloud infrastructure with IMDSv1 or reveal other internal services accessible to the host.

Recommendations Update PraisonAIAgents to version 1.5.128 or later. As a mitigation, add URL validation before the httpx request, incorporating the private-IP check from file tools.py into a shared utility. Specifically, add the following code before the httpx request in tools/web crawl tools.py: import urllib.parse, socket, ipaddress; parsed = urllib.parse.urlsplit(url); if parsed.scheme not in ("http", "https"): return f"Error: Unsupported scheme: {parsed.scheme}"; try: hostname = parsed.hostname; addr = ipaddress.ip address(socket.gethostbyname(hostname)); if addr.is private or addr.is loopback or addr.is link local: return "Error: Access to internal network addresses is not allowed"; except (socket.gaierror, ValueError): pass