{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonaiagents--1.6.61/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonaiagents (\u003c 1.6.61)"],"_cs_severities":["high"],"_cs_tags":["ssrf","llm-agent","prompt-injection","praisonai","python","ghsa"],"_cs_type":"threat","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA significant Server-Side Request Forgery (SSRF) vulnerability has been identified in PraisonAI's \u003ccode\u003epraisonaiagents\u003c/code\u003e package, affecting versions prior to 1.6.61. This flaw stems from a lack of validation on the \u003ccode\u003esearxng_url\u003c/code\u003e parameter within the \u003ccode\u003esearxng_search\u003c/code\u003e and \u003ccode\u003esearch_web\u003c/code\u003e tools, which are part of the default agent toolset. Attackers can leverage prompt injection techniques to manipulate the \u003ccode\u003esearxng_url\u003c/code\u003e parameter, forcing the agent's underlying \u003ccode\u003erequests.get()\u003c/code\u003e function to make unvalidated HTTP requests to internal systems. This allows for reading responses from internal services and APIs, performing internal network enumeration, and potentially accessing cloud instance metadata endpoints (e.g., 169.254.169.254) to expose sensitive IAM credentials or other system information. The vulnerability does not require misconfiguration and is directly exploitable through attacker-controlled content ingested by the agent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Content\u003c/strong\u003e: An attacker embeds a carefully constructed prompt into content (e.g., a web page, file, or chat message) that an \u003ccode\u003epraisonaiagents\u003c/code\u003e LLM agent is likely to ingest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Ingests Malicious Prompt\u003c/strong\u003e: The \u003ccode\u003epraisonaiagents\u003c/code\u003e LLM agent processes the attacker-controlled content, which includes instructions designed to coerce it into calling its \u003ccode\u003esearch_web\u003c/code\u003e or \u003ccode\u003esearxng_search\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Calls Tool with Malicious Parameter\u003c/strong\u003e: Triggered by the prompt, the agent invokes \u003ccode\u003esearch_web(...)\u003c/code\u003e or \u003ccode\u003esearxng_search(...)\u003c/code\u003e, passing an attacker-specified internal URL (e.g., \u003ccode\u003ehttp://127.0.0.1:19998/admin/secrets\u003c/code\u003e or \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e) as the \u003ccode\u003esearxng_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnvalidated HTTP Request Made\u003c/strong\u003e: The Python code within \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/searxng_tools.py\u003c/code\u003e or \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/web_search.py\u003c/code\u003e receives the \u003ccode\u003esearxng_url\u003c/code\u003e and uses it directly in \u003ccode\u003erequests.get()\u003c/code\u003e without any scheme, host, or port validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer Performs Internal Request\u003c/strong\u003e: The server hosting the \u003ccode\u003epraisonaiagents\u003c/code\u003e instance attempts to connect to the specified internal endpoint, effectively turning the agent into a proxy for the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Response Captured and Returned\u003c/strong\u003e: If the internal endpoint responds, its HTTP response body is captured by the agent tool, parsed (specifically for a JSON \u003ccode\u003eresults\u003c/code\u003e key), and returned into the agent's context.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Enumeration\u003c/strong\u003e: The attacker can then coerce the agent (via further prompt injection or subsequent tool calls) to exfiltrate the captured internal data or to continue enumerating internal services based on error responses from closed ports.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exposure\u003c/strong\u003e: In cloud environments, successful access to the instance metadata endpoint (\u003ccode\u003e169.254.169.254\u003c/code\u003e) can lead to the exposure of IAM role credentials, allowing for further compromise of cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability significantly compromises the security of \u003ccode\u003epraisonaiagents\u003c/code\u003e deployments. Any agent configured with the default \u003ccode\u003esearch_web\u003c/code\u003e tool and capable of ingesting untrusted content (such as browsing the web, reading files, or processing external messages) is at risk. Attackers can gain unauthorized access to internal services and APIs, potentially reading sensitive data from administration panels or internal microservices that return JSON. The ability to distinguish between open and closed internal ports allows for comprehensive internal network enumeration, mapping out the internal infrastructure. Crucially, the reachability of cloud instance metadata endpoints (e.g., AWS IMDS) presents a high risk of IAM credential theft, which could lead to full compromise of the cloud environment. There are no known instances of active exploitation in the wild, but the existence of a public PoC increases the likelihood of future attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch \u003ccode\u003epraisonaiagents\u003c/code\u003e immediately\u003c/strong\u003e: Upgrade the \u003ccode\u003epraisonaiagents\u003c/code\u003e package to version 1.6.61 or later to remediate CVE-2026-XXXX.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma rules\u003c/strong\u003e: Implement the provided Sigma rules (\u003ccode\u003eDetect Outbound PraisonAI Connections to Internal/Metadata IPs\u003c/code\u003e and \u003ccode\u003eDetect PraisonAI Process Execution\u003c/code\u003e) into your SIEM to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement egress filtering\u003c/strong\u003e: Configure network egress filtering at the host or network perimeter to block \u003ccode\u003epraisonaiagents\u003c/code\u003e processes from initiating connections to RFC1918 private IP ranges and the cloud instance metadata IP \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor outbound network connections\u003c/strong\u003e: Enable detailed logging for all outbound network connections from systems running \u003ccode\u003epraisonaiagents\u003c/code\u003e to detect anomalous destinations, especially the IP address \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:56:56Z","date_published":"2026-06-18T14:56:56Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.","title":"PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web Tools via Attacker-Controlled searxng_url Parameter","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Praisonaiagents (\u003c 1.6.61)","version":"https://jsonfeed.org/version/1.1"}