Skip to main content

Python CVE-2026-34954

HIGH
Server-Side Request Forgery (SSRF) (CWE-918)
2026-04-01 https://github.com/MervinPraison/PraisonAI GHSA-44c2-3rw4-5gvh
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Patch released
Apr 02, 2026 - 14:30 nvd
Patch available
Analysis Generated
Apr 02, 2026 - 00:15 vuln.today
CVE Published
Apr 01, 2026 - 23:27 nvd
HIGH 8.6

DescriptionGitHub Advisory

Summary

FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.

Details

file_tools.py:259 (source) -> file_tools.py:296 (sink)

python
# source -- url taken directly from caller, no validation
def download_file(self, url: str, destination: str, ...):
# sink -- unvalidated url passed to httpx with redirect following
    with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response:

PoC

bash
# tested on: praisonaiagents==1.5.87 (source install)
# install: pip install -e src/praisonai-agents
# start listener: python3 -m http.server 8888

import os
os.environ['PRAISONAI_AUTO_APPROVE'] = 'true'
from praisonaiagents.tools.file_tools import download_file

result = download_file(
    url="http://127.0.0.1:8888/ssrf-test",
    destination="/tmp/ssrf_out.txt"
)
print(result)
# listener logs: "GET /ssrf-test HTTP/1.1" 404
# on EC2 with IMDSv1: url="http://169.254.169.254/latest/meta-data/iam/security-credentials/"
# writes IAM credentials to destination file

Impact

On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. follow_redirects=True enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required.

Suggested Fix

python
from urllib.parse import urlparse
import ipaddress

BLOCKED_NETWORKS = [
    ipaddress.ip_network("127.0.0.0/8"),
    ipaddress.ip_network("169.254.0.0/16"),
    ipaddress.ip_network("10.0.0.0/8"),
    ipaddress.ip_network("172.16.0.0/12"),
    ipaddress.ip_network("192.168.0.0/16"),
]

def _validate_url(url: str) -> None:
    parsed = urlparse(url)
    if parsed.scheme not in ("http", "https"):
        raise ValueError(f"Scheme {parsed.scheme!r} not allowed")
    try:
        addr = ipaddress.ip_address(parsed.hostname)
        for net in BLOCKED_NETWORKS:
            if addr in net:
                raise ValueError(f"Requests to {addr} are not permitted")
    except ValueError as e:
        if "does not appear to be" not in str(e):
            raise

AnalysisAI

Server-Side Request Forgery (SSRF) in praisonaiagents allows unauthenticated remote attackers to access internal network resources and cloud metadata services. The FileTools.download_file() function passes user-controlled URLs directly to httpx.stream() with redirect following enabled, bypassing network boundaries. On AWS EC2 instances with IMDSv1, attackers can retrieve IAM credentials from the metadata service (169.254.169.254) and write them to disk. Exploitation requires no authentication (P

Technical ContextAI

This vulnerability affects the praisonaiagents Python package, an AI agent framework that provides file manipulation capabilities. The root cause is CWE-918 (Server-Side Request Forgery), a common flaw in applications that fetch remote resources without validating destination URLs. The vulnerable code path begins at file_tools.py:259 where the url parameter is accepted without validation and flows to line 296 where it's passed to httpx.stream() with follow_redirects=True enabled. The httpx library, a modern HTTP client for Python, will honor HTTP redirects, allowing attackers to chain open redirects to bypass naive URL filters. The function validates the destination filesystem path but performs zero validation on the URL scheme, hostname, or IP address. This enables attackers to target RFC 1918 private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), localhost (127.0.0.0/8), and critically, the AWS EC2 metadata service at 169.254.169.254. Cloud metadata services expose sensitive information including IAM role credentials, instance identity documents, and user-data scripts without authentication when accessed from the instance itself.

RemediationAI

Upgrade to a patched version of praisonaiagents as soon as the maintainer releases a fix addressing the URL validation gap in FileTools.download_file(). Monitor the GitHub advisory at https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh for patch availability announcements. Until a vendor-released patch is available, implement defense-in-depth controls: (1) Deploy network-level egress filtering to block outbound connections to RFC 1918 private ranges, localhost, and cloud metadata IP ranges (169.254.169.254 for AWS, 169.254.169.254 for GCP, 169.254.169.254 for Azure); (2) Upgrade AWS EC2 instances to require IMDSv2, which mitigates SSRF-based metadata access by requiring HTTP headers that SSRF cannot typically forge (aws ec2 modify-instance-metadata-options --instance-id i-xxx --http-tokens required); (3) Apply the suggested fix from the advisory by adding URL validation code that blocks non-HTTP(S) schemes, resolves hostnames to IP addresses, and rejects requests to blocked networks including loopback, link-local, and private ranges before passing URLs to httpx; (4) If modifying source code, disable follow_redirects or implement allowlist-based URL validation rather than blocklist approaches which are bypassable; (5) Run praisonaiagents in isolated network segments with no access to sensitive internal services; (6) Implement input validation and sanitization on any user-controlled data that flows to

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-34954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy