CVE-2026-40150

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244	Exploit Vendor Advisory
https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*

History

24 Apr 2026, 14:53

Type	Values Removed	Values Added
CPE		cpe:2.3:a:praison:praisonaiagents::::::::
References	~~() https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244 -~~	() https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244 - Exploit, Vendor Advisory
First Time		Praison praisonaiagents Praison

14 Apr 2026, 15:16

Type	Values Removed	Values Added
References	~~() https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244 -~~	() https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244 -

09 Apr 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-04-09 22:16

Updated : 2026-04-24 14:53

NVD link : CVE-2026-40150

Mitre link : CVE-2026-40150

CVE.ORG link : CVE-2026-40150

JSON object : View

Products Affected

praison

praisonaiagents

CWE

CWE-918

Server-Side Request Forgery (SSRF)

{"id": "CVE-2026-40150", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2026-04-09T22:16:35.900", "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-918"}]}], "descriptions": [{"lang": "en", "value": "PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128."}], "lastModified": "2026-04-24T14:53:03.193", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B1797C27-7EBC-4CEF-90B8-F84E8198632D", "versionEndExcluding": "1.5.128"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}