{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonai-before-4.6.78/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-60091"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PraisonAI (before 4.6.78)"],"_cs_severities":["high"],"_cs_tags":["vulnerability","ssrf","dns-rebinding","praisonai"],"_cs_type":"advisory","_cs_vendors":["MervinPraison"],"content_html":"\u003cp\u003eAn unauthenticated server-side request forgery (SSRF) vulnerability, identified as CVE-2026-60091, exists in PraisonAI versions prior to 4.6.78. This critical flaw resides within the Jobs API \u003ccode\u003e/api/v1/runs\u003c/code\u003e endpoint, specifically impacting the \u003ccode\u003ewebhook_url\u003c/code\u003e parameter. Attackers can leverage a timing window where the \u003ccode\u003ewebhook_url\u003c/code\u003e is initially validated as an external, legitimate target but then re-resolved to an internal IP address at connection time using DNS rebinding. This allows an external attacker to bypass security controls and force the PraisonAI application to make blind HTTP requests to arbitrary internal network services, potentially leading to unauthorized information disclosure, interaction with internal systems, or further lateral movement within an organization's network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker registers a domain (e.g., \u003ccode\u003eattacker.com\u003c/code\u003e) and configures its DNS records with a short Time-To-Live (TTL). Initially, the domain resolves to a legitimate external IP address controlled by the attacker.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an unauthenticated POST request to the PraisonAI Jobs API endpoint \u003ccode\u003e/api/v1/runs\u003c/code\u003e, setting the \u003ccode\u003ewebhook_url\u003c/code\u003e parameter to their malicious domain (e.g., \u003ccode\u003ehttp://attacker.com/callback\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eDuring initial validation, PraisonAI performs a DNS lookup for \u003ccode\u003eattacker.com\u003c/code\u003e. At this stage, it resolves to the external IP, passing the validation checks designed to prevent access to internal or private IP ranges.\u003c/li\u003e\n\u003cli\u003ePraisonAI accepts the job and schedules the webhook callback for later execution.\u003c/li\u003e\n\u003cli\u003eBefore PraisonAI attempts to connect to the \u003ccode\u003ewebhook_url\u003c/code\u003e for the callback, the attacker rapidly updates the DNS record for \u003ccode\u003eattacker.com\u003c/code\u003e to point to an internal IP address (e.g., \u003ccode\u003e192.168.1.10\u003c/code\u003e), which hosts an internal service within the target network.\u003c/li\u003e\n\u003cli\u003eWhen PraisonAI executes the webhook callback, it performs a new DNS lookup for \u003ccode\u003eattacker.com\u003c/code\u003e. Due to the DNS rebinding, it now resolves to \u003ccode\u003e192.168.1.10\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003ePraisonAI then makes an HTTP request to \u003ccode\u003ehttp://192.168.1.10/callback\u003c/code\u003e, initiating a blind server-side request forgery against an internal service.\u003c/li\u003e\n\u003cli\u003eThe internal service receives the request, potentially allowing the attacker to gather information about the internal network or interact with other internal systems, albeit blindly.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-60091 allows an unauthenticated attacker to bypass network segmentation and access internal services from an external position. This blind SSRF can lead to unauthorized information disclosure (C:L) and potentially limited modification of internal data (I:L), as indicated by its CVSS 3.1 score of 7.2. Attackers can use this vulnerability for internal network reconnaissance, identifying other vulnerable services, or indirectly interacting with sensitive internal systems that are not directly exposed to the internet. While direct arbitrary code execution is not implied, the ability to reach internal resources provides a significant foothold for further attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch PraisonAI instances immediately to version 4.6.78 or later to address CVE-2026-60091.\u003c/li\u003e\n\u003cli\u003eImplement strict outbound network filtering on the PraisonAI application server to prevent connections to internal IP ranges (RFC1918 addresses) or other unauthorized destinations. (network_connection logs)\u003c/li\u003e\n\u003cli\u003eMonitor DNS query logs from the PraisonAI server for suspicious rebinding patterns where a domain initially resolves to an external IP and then quickly changes to an internal IP. (dns_query logs)\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-10T15:25:05Z","date_published":"2026-07-10T15:25:05Z","id":"https://feed.craftedsignal.io/briefs/2026-07-praisonai-ssrf/","summary":"PraisonAI versions before 4.6.78 contain an unauthenticated server-side request forgery (SSRF) vulnerability, CVE-2026-60091, in the Jobs API `/api/v1/runs` endpoint via the `webhook_url` parameter, allowing attackers to exploit DNS rebinding to access internal services.","title":"Unauthenticated Server-Side Request Forgery in PraisonAI Jobs API (CVE-2026-60091)","url":"https://feed.craftedsignal.io/briefs/2026-07-praisonai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - PraisonAI (Before 4.6.78)","version":"https://jsonfeed.org/version/1.1"}