CVE-2026-40150
Published: 09 April 2026
Summary
CVE-2026-40150 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonaiagents. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1522); ranked at the 9.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as Other AI Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation of arbitrary URL inputs to the web_crawl function, preventing SSRF by blocking unsupported schemes, private IPs, and internal endpoints.
Implements boundary protection with application-layer filtering and protocol validation to restrict outbound fetches to unauthorized internal services or metadata endpoints.
Enforces information flow control policies to limit agent-initiated requests to approved external destinations only, mitigating access to private networks.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SSRF vulnerability explicitly allows fetching arbitrary URLs including cloud instance metadata endpoints (e.g. AWS IMDS) and internal resources without validation, directly enabling T1522.
NVD Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker…
more
(or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.
Deeper analysisAI
CVE-2026-40150 is a server-side request forgery vulnerability (CWE-918) in PraisonAIAgents, a multi-agent teams system. Prior to version 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs supplied by AI agents without validation, including no scheme allowlisting, hostname or IP blocklisting, or private network checks prior to fetching content. This flaw, scored 7.7 under CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, enables unauthorized resource access.
An attacker with low privileges, such as a legitimate user or through prompt injection in previously crawled content, can exploit this over the network with low complexity and no user interaction. By providing malicious URLs to the AI agent, they can force it to fetch sensitive cloud metadata endpoints (e.g., on AWS IMDS), internal services, or local files via file:// schemes, resulting in high confidentiality impact through potential data exfiltration in a scoped environment.
The vulnerability is addressed in PraisonAIAgents version 1.5.128. Security advisories recommend updating to this patched release immediately. Additional details are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244.
This issue highlights risks in AI agent frameworks where untrusted inputs from prompts can lead to SSRF, with relevance to AI/ML deployments relying on automated web crawling tools. No public evidence of real-world exploitation is reported as of the CVE publication on 2026-04-09.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other AI Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, prompt injection