{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/praisonaiagents/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["praisonaiagents"],"_cs_severities":["high"],"_cs_tags":["ssrf","praisonai","vulnerability"],"_cs_type":"advisory","_cs_vendors":["pip"],"content_html":"\u003cp\u003ePraisonAI, a project utilizing URL validation to prevent SSRF attacks, is vulnerable due to a discrepancy in how URLs are parsed. Specifically, the application\u0026rsquo;s \u003ccode\u003e_validate_url\u003c/code\u003e function relies on \u003ccode\u003eurlparse\u003c/code\u003e for security checks, while the actual HTTP requests are made using the \u003ccode\u003erequests\u003c/code\u003e library. The vulnerability arises from the differing interpretations of URLs containing both an IP address and a username/password component (e.g., \u003ccode\u003ehttp://127.0.0.1:6666\\@1.1.1.1\u003c/code\u003e). The \u003ccode\u003eurlparse\u003c/code\u003e function extracts the hostname after the \u003ccode\u003e@\u003c/code\u003e symbol (1.1.1.1), while \u003ccode\u003erequests\u003c/code\u003e connects to the host before the \u003ccode\u003e@\u003c/code\u003e symbol (127.0.0.1).  This allows attackers to bypass the URL validation and send requests to internal resources. This affects PraisonAI agents version 1.6.31 and earlier and could allow access to internal services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a PraisonAI endpoint that accepts a URL as input.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious URL in the format \u003ccode\u003ehttp://127.0.0.1:6666\\@1.1.1.1\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe application\u0026rsquo;s \u003ccode\u003e_validate_url\u003c/code\u003e function parses the URL using \u003ccode\u003eurlparse\u003c/code\u003e, which resolves the host to \u003ccode\u003e1.1.1.1\u003c/code\u003e (a public IP).\u003c/li\u003e\n\u003cli\u003eThe validation logic incorrectly identifies the target as an external resource, and allows the request to proceed.\u003c/li\u003e\n\u003cli\u003eThe application then uses \u003ccode\u003erequests.get\u003c/code\u003e to make an HTTP request to the provided URL.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erequests\u003c/code\u003e library interprets the URL differently and connects to \u003ccode\u003e127.0.0.1:6666\u003c/code\u003e (a local resource).\u003c/li\u003e\n\u003cli\u003eThe request is sent to the internal service running on \u003ccode\u003e127.0.0.1:6666\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to the internal service, potentially leading to information disclosure or further exploitation.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SSRF vulnerability allows attackers to bypass intended security controls and access internal resources that are not meant to be exposed to the external network. This could lead to the disclosure of sensitive information, the execution of arbitrary code on internal systems, or further lateral movement within the network. The affected package, \u003ccode\u003epip/praisonaiagents\u003c/code\u003e, is vulnerable in versions 1.6.31 and earlier.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003ePraisonAI SSRF Attempt via URL Parsing Discrepancy\u003c/code\u003e to detect attempts to exploit this vulnerability by monitoring for requests with the specific URL format.\u003c/li\u003e\n\u003cli\u003eApply the patch or upgrade to a version of PraisonAI agents greater than 1.6.31 to remediate CVE-2026-44335.\u003c/li\u003e\n\u003cli\u003eImplement additional server-side validation to prevent SSRF as a defense-in-depth measure.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T22:08:11Z","date_published":"2026-05-06T22:08:11Z","id":"/briefs/2026-05-praisonai-ssrf/","summary":"PraisonAI versions 1.6.31 and earlier contain a Server-Side Request Forgery (SSRF) vulnerability due to inconsistent URL parsing between the application's validation logic and the underlying requests library, allowing attackers to bypass intended security checks and access internal resources.","title":"PraisonAI SSRF Vulnerability via URL Parsing Discrepancy","url":"https://feed.craftedsignal.io/briefs/2026-05-praisonai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed — Praisonaiagents","version":"https://jsonfeed.org/version/1.1"}