CVE-2026-34954
Published: 03 April 2026
Summary
CVE-2026-34954 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonaiagents. Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 3.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of the unvalidated URL parameter in FileTools.download_file() to prevent SSRF exploitation.
Enforces boundary protection to monitor and control outbound communications, blocking access to arbitrary hosts like cloud metadata and internal services.
Enforces information flow control policies to restrict unauthorized outbound connections initiated by the vulnerable function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF in public-facing app enables T1190 exploitation; directly allows requests to cloud metadata (T1522) and internal network services (T1046) for data exfiltration.
NVD Description
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach…
more
any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Deeper analysisAI
CVE-2026-34954 is a server-side request forgery vulnerability (CWE-918) affecting PraisonAI, a multi-agent teams system, in versions prior to 1.5.95. The issue resides in the FileTools.download_file() function within the praisonaiagents component, which validates the destination path but performs no validation on the URL parameter. This URL is passed directly to httpx.stream() with follow_redirects=True, enabling unintended network requests.
An unauthenticated remote attacker (AV:N/AC:L/PR:N/UI:N) who can control the URL parameter—such as through user-supplied input to the function—can exploit this vulnerability to force the server to connect to arbitrary hosts reachable from its network context. This includes cloud metadata services and internal network services, potentially allowing high confidentiality impact through data exfiltration (CVSS:3.1 score of 8.6 with scope changed and no integrity or availability impact).
The vulnerability has been addressed in PraisonAI version 1.5.95. Additional details on the patch and remediation are available in the GitHub security advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh.
Details
- CWE(s)