CVE-2026-34936
Published: 03 April 2026
Summary
CVE-2026-34936 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonai. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces information flow control policies that restrict outbound requests to authorized hosts only, directly preventing SSRF exploitation via malicious api_base parameters.
Requires validation of caller-controlled api_base inputs to block malformed or unauthorized URLs before they are passed to httpx.Client.request().
Monitors and controls communications at system boundaries to block or detect unauthorized outbound requests to internal services or arbitrary hosts.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SSRF vulnerability allows an authenticated attacker to supply a malicious api_base, causing the server to make requests to arbitrary internal hosts including metadata endpoints. This directly enables querying the Cloud Instance Metadata API to gather instance information (T1522) or steal credentials (T1552.005), resulting in the described high confidentiality impact via data exfiltration.
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme…
more
validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.
Deeper analysisAI
CVE-2026-34936 is a server-side request forgery (SSRF) vulnerability (CWE-918) in PraisonAI, an open-source multi-agent teams system. In versions prior to 4.5.90, the passthrough() and apassthrough() functions accept a caller-controlled api_base parameter, which is concatenated with an endpoint and passed directly to httpx.Client.request() if the litellm primary path raises an AttributeError. The implementation lacks URL scheme validation, private IP filtering, or domain allowlisting, enabling requests to arbitrary hosts reachable from the server.
The vulnerability has a CVSS v3.1 base score of 7.7 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N), indicating network accessibility with low attack complexity and requiring only low privileges. An authenticated attacker with low privileges can exploit this by supplying a malicious api_base, tricking the server into making unauthorized outbound requests. This allows access to internal services or metadata endpoints behind the server's network boundaries, resulting in high confidentiality impact through data exfiltration, while integrity and availability remain unaffected.
The issue was addressed in PraisonAI version 4.5.90. Security practitioners should upgrade to this version or later. Additional details, including patch information, are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv.
PraisonAI's role as a multi-agent AI system underscores the relevance of this SSRF flaw in AI/ML workflows, where untrusted inputs could propagate through agent interactions to compromise internal resources. No public evidence of real-world exploitation has been reported as of the CVE publication on 2026-04-03.
Details
- CWE(s)