CVE-2026-40114

HighPublic PoC

Published: 09 April 2026

Published

09 April 2026

Modified

17 April 2026

KEV Added

—

Patch

—

CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

EPSS Score 0.0004 13.1th percentile

Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-40114 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonai. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates the lack of URL validation on webhook_url inputs in the /api/v1/runs endpoint by requiring validation to block arbitrary destinations.

AC-4 Information Flow Enforcement good match

prevent

Enforces flow control policies to restrict server-initiated HTTP POST requests from the job completion process to only authorized destinations, preventing SSRF.

SC-7 Boundary Protection good match

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect POST requests to unauthorized internal or external services like cloud metadata endpoints.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1522 Cloud Instance Metadata API Credential Access

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

attack.mitre.org →

T1046 Network Service Discovery Discovery

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.

attack.mitre.org →

Why these techniques?

SSRF in public-facing /api/v1/runs endpoint enables T1190 exploitation; directly facilitates T1522 (cloud metadata) and T1046 (internal service probing) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to…

this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server send POST requests to arbitrary internal or external destinations, enabling SSRF against cloud metadata services, internal APIs, and other network-adjacent services. This vulnerability is fixed in 4.5.128.

Deeper analysisAI

CVE-2026-40114 is a server-side request forgery (SSRF) vulnerability in PraisonAI, a multi-agent teams system. In versions prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body without any URL validation. Upon completion of a submitted job, whether successful or failed, the server uses httpx.AsyncClient to make an HTTP POST request to the specified URL, allowing requests to unintended destinations.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a job via the endpoint with a malicious webhook_url, the attacker causes the server to send POST requests to arbitrary internal or external targets when the job finishes. This enables SSRF attacks against cloud metadata services, internal APIs, and other network-adjacent services, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflecting low confidentiality and integrity impacts in a changed scope.

The vulnerability, associated with CWE-918 (Server-Side Request Forgery), is fixed in PraisonAI version 4.5.128. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm.

Details

CWE(s): CWE-918

Affected Products

praison

praisonai

≤ 4.5.128

CVEs Like This One

CVE-2026-34936Same product: Praison Praisonai

CVE-2026-39890Same product: Praison Praisonai

CVE-2026-39889Same product: Praison Praisonai

CVE-2026-34934Same product: Praison Praisonai

CVE-2026-34952Same product: Praison Praisonai

CVE-2026-40315Same product: Praison Praisonai

CVE-2026-39891Same product: Praison Praisonai

CVE-2026-39308Same product: Praison Praisonai

CVE-2026-39888Same product: Praison Praisonai

CVE-2026-35615Same product: Praison Praisonai

References

https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm
Exploit, Vendor Advisory · security-advisories@github.com