<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>PraisonAI (Before 4.6.78) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/praisonai-before-4.6.78/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 10 Jul 2026 15:25:05 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/praisonai-before-4.6.78/feed.xml" rel="self" type="application/rss+xml"/><item><title>Unauthenticated Server-Side Request Forgery in PraisonAI Jobs API (CVE-2026-60091)</title><link>https://feed.craftedsignal.io/briefs/2026-07-praisonai-ssrf/</link><pubDate>Fri, 10 Jul 2026 15:25:05 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-praisonai-ssrf/</guid><description>PraisonAI versions before 4.6.78 contain an unauthenticated server-side request forgery (SSRF) vulnerability, CVE-2026-60091, in the Jobs API `/api/v1/runs` endpoint via the `webhook_url` parameter, allowing attackers to exploit DNS rebinding to access internal services.</description><content:encoded><![CDATA[<p>An unauthenticated server-side request forgery (SSRF) vulnerability, identified as CVE-2026-60091, exists in PraisonAI versions prior to 4.6.78. This critical flaw resides within the Jobs API <code>/api/v1/runs</code> endpoint, specifically impacting the <code>webhook_url</code> parameter. Attackers can leverage a timing window where the <code>webhook_url</code> is initially validated as an external, legitimate target but then re-resolved to an internal IP address at connection time using DNS rebinding. This allows an external attacker to bypass security controls and force the PraisonAI application to make blind HTTP requests to arbitrary internal network services, potentially leading to unauthorized information disclosure, interaction with internal systems, or further lateral movement within an organization's network.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker registers a domain (e.g., <code>attacker.com</code>) and configures its DNS records with a short Time-To-Live (TTL). Initially, the domain resolves to a legitimate external IP address controlled by the attacker.</li>
<li>The attacker sends an unauthenticated POST request to the PraisonAI Jobs API endpoint <code>/api/v1/runs</code>, setting the <code>webhook_url</code> parameter to their malicious domain (e.g., <code>http://attacker.com/callback</code>).</li>
<li>During initial validation, PraisonAI performs a DNS lookup for <code>attacker.com</code>. At this stage, it resolves to the external IP, passing the validation checks designed to prevent access to internal or private IP ranges.</li>
<li>PraisonAI accepts the job and schedules the webhook callback for later execution.</li>
<li>Before PraisonAI attempts to connect to the <code>webhook_url</code> for the callback, the attacker rapidly updates the DNS record for <code>attacker.com</code> to point to an internal IP address (e.g., <code>192.168.1.10</code>), which hosts an internal service within the target network.</li>
<li>When PraisonAI executes the webhook callback, it performs a new DNS lookup for <code>attacker.com</code>. Due to the DNS rebinding, it now resolves to <code>192.168.1.10</code>.</li>
<li>PraisonAI then makes an HTTP request to <code>http://192.168.1.10/callback</code>, initiating a blind server-side request forgery against an internal service.</li>
<li>The internal service receives the request, potentially allowing the attacker to gather information about the internal network or interact with other internal systems, albeit blindly.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-60091 allows an unauthenticated attacker to bypass network segmentation and access internal services from an external position. This blind SSRF can lead to unauthorized information disclosure (C:L) and potentially limited modification of internal data (I:L), as indicated by its CVSS 3.1 score of 7.2. Attackers can use this vulnerability for internal network reconnaissance, identifying other vulnerable services, or indirectly interacting with sensitive internal systems that are not directly exposed to the internet. While direct arbitrary code execution is not implied, the ability to reach internal resources provides a significant foothold for further attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch PraisonAI instances immediately to version 4.6.78 or later to address CVE-2026-60091.</li>
<li>Implement strict outbound network filtering on the PraisonAI application server to prevent connections to internal IP ranges (RFC1918 addresses) or other unauthorized destinations. (network_connection logs)</li>
<li>Monitor DNS query logs from the PraisonAI server for suspicious rebinding patterns where a domain initially resolves to an external IP and then quickly changes to an internal IP. (dns_query logs)</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>ssrf</category><category>dns-rebinding</category><category>praisonai</category></item></channel></rss>