Cyber Resilience

CVE-2026-40150

HighPublic PoC

Published: 09 April 2026

Published
09 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
EPSS Score 0.0027 18.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-40150 is a high-severity SSRF (CWE-918) vulnerability in Praison Praisonaiagents. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Cloud Instance Metadata API (T1552.005); ranked at the 18.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-4 (Information Flow Enforcement).

Deeper analysis

CVE-2026-40150 is a server-side request forgery vulnerability (CWE-918) in PraisonAIAgents, a multi-agent teams system. Prior to version 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs supplied by AI agents without validation, including no scheme allowlisting, hostname or IP blocklisting, or private network checks prior to fetching content. This flaw, scored 7.7 under CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N, enables unauthorized resource access.

An attacker with low privileges, such as a legitimate user or through prompt injection in previously crawled content, can exploit this over the network with low complexity and no user interaction. By providing malicious URLs to the AI agent, they can force it to fetch sensitive cloud metadata endpoints (e.g., on AWS IMDS), internal services, or local files via file:// schemes, resulting in high confidentiality impact through potential data exfiltration in a scoped environment.

The vulnerability is addressed in PraisonAIAgents version 1.5.128. Security advisories recommend updating to this patched release immediately. Additional details are available in the GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244.

This issue highlights risks in AI agent frameworks where untrusted inputs from prompts can lead to SSRF, with relevance to AI/ML deployments relying on automated web crawling tools. No public evidence of real-world exploitation is reported as of the CVE publication on 2026-04-09.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, the web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker…

more

(or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs. This vulnerability is fixed in 1.5.128.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552.005 Cloud Instance Metadata API Credential Access
Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.
Why these techniques?

SSRF vulnerability explicitly allows fetching arbitrary URLs including cloud instance metadata endpoints (e.g. AWS IMDS) and internal resources without validation, directly enabling T1522.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34954Same product: Praison Praisonaiagents
CVE-2026-44335Same product: Praison Praisonaiagents
CVE-2026-40111Same product: Praison Praisonaiagents
CVE-2026-40117Same product: Praison Praisonaiagents
CVE-2026-34937Same product: Praison Praisonaiagents
CVE-2026-40153Same product: Praison Praisonaiagents
CVE-2026-34938Same product: Praison Praisonaiagents
CVE-2026-34936Same vendor: Praison
CVE-2026-40114Same vendor: Praison
CVE-2026-41496Same product: Praison Praisonaiagents

Affected Assets

praison
praisonaiagents
≤ 1.5.128

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of arbitrary URL inputs to the web_crawl function, preventing SSRF by blocking unsupported schemes, private IPs, and internal endpoints.

prevent

Implements boundary protection with application-layer filtering and protocol validation to restrict outbound fetches to unauthorized internal services or metadata endpoints.

prevent

Enforces information flow control policies to limit agent-initiated requests to approved external destinations only, mitigating access to private networks.

References