Cyber Resilience

CVE-2026-40114

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
17 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0028 19.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40114 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonai. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

CVE-2026-40114 is a server-side request forgery (SSRF) vulnerability in PraisonAI, a multi-agent teams system. In versions prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body without any URL validation. Upon completion of a submitted job, whether successful or failed, the server uses httpx.AsyncClient to make an HTTP POST request to the specified URL, allowing requests to unintended destinations.

An unauthenticated attacker can exploit this vulnerability over the network with low complexity and no user interaction required. By submitting a job via the endpoint with a malicious webhook_url, the attacker causes the server to send POST requests to arbitrary internal or external targets when the job finishes. This enables SSRF attacks against cloud metadata services, internal APIs, and other network-adjacent services, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) reflecting low confidentiality and integrity impacts in a changed scope.

The vulnerability, associated with CWE-918 (Server-Side Request Forgery), is fixed in PraisonAI version 4.5.128. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8frj-8q3m-xhgm.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAI is a multi-agent teams system. Prior to 4.5.128, the /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to…

more

this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server send POST requests to arbitrary internal or external destinations, enabling SSRF against cloud metadata services, internal APIs, and other network-adjacent services. This vulnerability is fixed in 4.5.128.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
T1046 Network Service Discovery Discovery
Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation.
Why these techniques?

SSRF in public-facing /api/v1/runs endpoint enables T1190 exploitation; directly facilitates T1522 (cloud metadata) and T1046 (internal service probing) as described.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34936Same product: Praison Praisonai
CVE-2026-34934Same product: Praison Praisonai
CVE-2026-39889Same product: Praison Praisonai
CVE-2026-34952Same product: Praison Praisonai
CVE-2026-44338Same product: Praison Praisonai
CVE-2026-39890Same product: Praison Praisonai
CVE-2026-39891Same product: Praison Praisonai
CVE-2026-39308Same product: Praison Praisonai
CVE-2026-44334Same product: Praison Praisonai
CVE-2026-40315Same product: Praison Praisonai

Affected Assets

praison
praisonai
≤ 4.5.128

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the lack of URL validation on webhook_url inputs in the /api/v1/runs endpoint by requiring validation to block arbitrary destinations.

prevent

Enforces flow control policies to restrict server-initiated HTTP POST requests from the job completion process to only authorized destinations, preventing SSRF.

preventdetect

Monitors and controls outbound communications at system boundaries to block or detect POST requests to unauthorized internal or external services like cloud metadata endpoints.

References