CVE-2026-44335

Name of the Vulnerable Software and Affected Versions PraisonAI versions prior to 1.6.32

Description A logical flaw in the URL checking logic allows attackers to bypass security filters, leading to Server-Side Request Forgery (SSRF). The system uses the validate url() function to perform security checks on the host portion of a URL extracted by urlparse(). However, a discrepancy exists between how urlparse() and the requests library parse certain URLs. For example, in a URL like http://127.0.0.1:6666@1.1.1.1, urlparse() identifies the hostname as 1.1.1.1 (a public address), while requests interprets it as 127.0.0.1 (an internal address). This inconsistency allows requests to be routed to internal network addresses despite passing the initial validation.

Recommendations Update to version 1.6.32.