PraisonAI SSRF Vulnerability (CVE-2026-34954)

Overview

A high-severity Server-Side Request Forgery (SSRF) vulnerability, tracked as CVE-2026-34954, has been identified in the PraisonAI multi-agent teams system. The flaw resides in the FileTools.download_file() function, which fails to validate user-supplied URLs before fetching them.

Vulnerability Details

In PraisonAI versions prior to 1.5.95, the download_file() function properly validates the destination file path but passes the url parameter directly to the httpx.stream() method with follow_redirects=True. This lack of input validation allows an attacker who controls the URL parameter to force the server to make HTTP requests to arbitrary destinations.

Because the request originates from the application server, an attacker can target systems that are normally inaccessible from the public internet. This includes internal network services, databases, and critically, cloud instance metadata services which often contain sensitive credentials and configuration data.

Impact

The primary risk is unauthorized access to internal infrastructure. By exploiting this SSRF, an attacker could:

• Steal credentials from cloud metadata services (e.g., AWS IMDS, Azure Instance Metadata Service, GCP metadata server).
• Probe and interact with internal applications, APIs, or databases.
• Potentially leverage access to these internal systems to move laterally within a network.

With a CVSS score of 8.6 (Attack Vector: Network, Privileges Required: None, User Interaction: None), this vulnerability presents a significant risk, especially in deployments where the PraisonAI server has access to sensitive internal segments.

Remediation and Mitigation

The vendor has released a patch in PraisonAI version 1.5.95. All users must upgrade to this version immediately.

Immediate Action:

1. Upgrade: Update your PraisonAI installation to version 1.5.95 or later.
2. Inventory: Identify all deployments of PraisonAI, including development and testing environments.
3. Restrict Network Access: As a temporary measure if patching is delayed, consider implementing network-level restrictions to block egress HTTP traffic from the PraisonAI server to internal metadata service endpoints (like 169.254.169.254) and critical internal subnets. This is a mitigation, not a fix.

For organizations leveraging AI-driven security tools, this incident underscores the importance of how to evaluate AI SOC agents to ensure they integrate securely.

Security Insight

This SSRF flaw highlights a recurring pattern in rapidly developed AI/automation tools: robust input validation for external interactions is often an afterthought. Similar to how the CyberStrikeAI tool adopted by hackers for AI-powered attacks exploits automation for offense, defensive tools themselves must be built with foundational security principles. The vulnerability serves as a reminder that the complexity of new AI agent systems can sometimes mask basic, critical security gaps that attackers are quick to exploit.

Further Reading

• AI SOC Agent Hype Masks Growing Secrets Sprawl Crisis
• The Hidden Cost of Cybersecurity Specialization
• CyberStrikeAI tool adopted by hackers for AI-powered attacks
• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs