PyPI: praisonai
CVE-2026-34936
Safety vulnerability ID: SFTY-20260401-99185
Safety legacy ID: pyup.io-91437
Affected versions of the praisonai package are vulnerable to Server-Side Request Forgery (SSRF) due to the passthrough() and apassthrough() functions accepting a caller-controlled api_base parameter that is concatenated with an endpoint and passed directly to httpx.Client.request() without URL scheme validation, private IP filtering, or domain allowlisting. When the primary litellm code path raises an AttributeError, the fallback branch in passthrough.py constructs a URL from the unvalidated api_base value and issues an HTTP request to the attacker-specified destination. An attacker can supply a crafted api_base pointing to internal network resources, enabling access to cloud instance metadata services such as the EC2 IMDSv1 endpoint to retrieve IAM credentials, or to reach other internal services within the VPC, particularly as the Flask API server deploys with authentication disabled by default.
Overview
PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback
Advisory
Affected versions of the praisonai package are vulnerable to Server-Side Request Forgery (SSRF) due to the passthrough() and apassthrough() functions accepting a caller-controlled api_base parameter that is concatenated with an endpoint and passed directly to httpx.Client.request() without URL scheme validation, private IP filtering, or domain allowlisting. When the primary litellm code path raises an AttributeError, the fallback branch in passthrough.py constructs a URL from the unvalidated api_base value and issues an HTTP request to the attacker-specified destination. An attacker can supply a crafted api_base pointing to internal network resources, enabling access to cloud instance metadata services such as the EC2 IMDSv1 endpoint to retrieve IAM credentials, or to reach other internal services within the VPC, particularly as the Flask API server deploys with authentication disabled by default.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20260401-99185/CVE-2026-34936
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34936
- https://data.safetycli.com/changelogs/praisonai/
- https://github.com/advisories/GHSA-x6m9-gxvr-7jpv
- https://pypi.org/project/praisonai
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv
- https://nvd.nist.gov/vuln/detail/CVE-2026-34936
- https://github.com/advisories/GHSA-x6m9-gxvr-7jpv
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more