CVE-2026-40150
Published: 09 April 2026
Summary
CVE-2026-40150 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonaiagents. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Deeper analysis
CVE-2026-40150 is a server-side request forgery vulnerability (CWE-918) in PraisonAIAgents, a multi-agent teams system. Prior to version 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs supplied by AI agents without validation, including no scheme allowlisting, hostname or IP blocklisting, or private network checks prior to fetching content. This flaw, scored 7.7 under CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, enables unauthorized resource access.
An attacker with low privileges, such as a legitimate user or through prompt injection in previously crawled content, can exploit this over the network with low complexity and no user interaction. By providing malicious URLs to the AI agent, they can force it to fetch sensitive cloud metadata endpoints (e.g., on AWS IMDS), internal services, or local files via file:// schemes, resulting in high confidentiality impact through potential data exfiltration in a scoped environment.
The vulnerability is addressed in PraisonAIAgents version 1.5.128. Security advisories recommend updating to this patched release immediately. Additional details are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244.
This issue highlights risks in AI agent frameworks where untrusted inputs from prompts can lead to SSRF, with relevance to AI/ML deployments relying on automated web crawling tools. No public evidence of real-world exploitation is reported as of the CVE publication on 2026-04-09.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-21170
Vulnerability details
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker…
more
(or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, prompt injection
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability explicitly allows fetching arbitrary URLs including cloud instance metadata endpoints (e.g. AWS IMDS) and internal resources without validation, directly enabling T1522.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of arbitrary URL inputs to the web_crawl function, preventing SSRF by blocking unsupported schemes, private IPs, and internal endpoints.
Implements boundary protection with application-layer filtering and protocol validation to restrict outbound fetches to unauthorized internal services or metadata endpoints.
Enforces information flow control policies to limit agent-initiated requests to approved external destinations only, mitigating access to private networks.