{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/api-exploitation/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["crawl4ai (\u003c= 0.8.9)"],"_cs_severities":["high"],"_cs_tags":["ssrf","web-application","docker","unauthenticated","api-exploitation"],"_cs_type":"advisory","_cs_vendors":["Crawl4AI"],"content_html":"\u003cp\u003eA remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in the Crawl4AI Docker API server, specifically targeting versions up to 0.8.9. The vulnerability exists because the \u003ccode\u003ehandle_stream_crawl_request\u003c/code\u003e function, used by \u003ccode\u003ePOST /crawl/stream\u003c/code\u003e and \u003ccode\u003ePOST /crawl\u003c/code\u003e with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e, fails to validate the destination of provided seed URLs. This oversight allows attackers to supply URLs pointing to internal networks, private IP addresses, or cloud-metadata endpoints (e.g., \u003ccode\u003ehttp://169.254.169.254/\u003c/code\u003e). The server then fetches the content from these internal resources and streams the response directly back to the attacker, potentially leading to unauthorized access to sensitive information like cloud IAM credentials or details about internal services. This critical flaw highlights a gap in the API's security checks, which was previously intended to prevent such attacks on non-streaming paths but was overlooked for streaming functionalities. The Docker API is often unauthenticated by default, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies an internet-facing Crawl4AI Docker API server (version \u0026lt;= 0.8.9).\u003c/li\u003e\n\u003cli\u003eAttacker crafts an unauthenticated \u003ccode\u003ePOST\u003c/code\u003e request targeting the \u003ccode\u003e/crawl/stream\u003c/code\u003e endpoint, or the \u003ccode\u003e/crawl\u003c/code\u003e endpoint with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eWithin the request body, the attacker includes a malicious seed URL pointing to an internal, private, or link-local address, such as \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Crawl4AI server's \u003ccode\u003ehandle_stream_crawl_request\u003c/code\u003e function processes the request without applying the necessary \u003ccode\u003evalidate_url_destination\u003c/code\u003e check.\u003c/li\u003e\n\u003cli\u003eThe server initiates an outbound connection to the specified internal URL, fetching the content of the internal resource (e.g., cloud instance metadata).\u003c/li\u003e\n\u003cli\u003eThe fetched response body (e.g., AWS IAM temporary credentials) is then streamed back by the Crawl4AI server to the unauthenticated attacker's client.\u003c/li\u003e\n\u003cli\u003eThe attacker receives and extracts sensitive internal information or credentials from the streamed response.\u003c/li\u003e\n\u003cli\u003eAttacker potentially uses the obtained credentials to escalate privileges or access other internal cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis unauthenticated Server-Side Request Forgery (SSRF) allows remote attackers to read arbitrary internal services and cloud-metadata endpoints. This can expose highly sensitive information such as cloud IAM temporary credentials (e.g., from \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/iam/security-credentials/\u003c/code\u003e), internal network topology, or other confidential data hosted on inaccessible internal systems. The vulnerability is considered high severity due to its unauthenticated nature and direct access to internal resources, which is similar in class and impact to previously identified SSRF flaws in the project. Successful exploitation could lead to privilege escalation, data exfiltration, or broader compromise of cloud environments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Crawl4AI instances to version 0.9.0 or later to patch the SSRF vulnerability.\u003c/li\u003e\n\u003cli\u003eEnable authentication on the Crawl4AI Docker API and restrict access to authorized users/systems only.\u003c/li\u003e\n\u003cli\u003eImplement egress filtering or network segmentation to restrict outbound network access from Crawl4AI containers, preventing connections to internal or metadata service IP ranges like \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rules to your SIEM to detect attempts at exploiting the \u003ccode\u003e/crawl/stream\u003c/code\u003e or \u003ccode\u003e/crawl\u003c/code\u003e (with \u003ccode\u003ecrawler_config.stream=true\u003c/code\u003e) endpoints with internal IP addresses.\u003c/li\u003e\n\u003cli\u003eEnsure webserver access logs are enabled and ingested into your SIEM for the Crawl4AI application to allow detection of malicious \u003ccode\u003ePOST\u003c/code\u003e requests targeting \u003ccode\u003e/crawl/stream\u003c/code\u003e or \u003ccode\u003e/crawl\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T17:41:17Z","date_published":"2026-06-18T17:41:17Z","id":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-ssrf/","summary":"A remote, unauthenticated attacker can exploit an unpatched Server-Side Request Forgery (SSRF) vulnerability in Crawl4AI Docker API versions up to 0.8.9, specifically targeting the `/crawl/stream` endpoint, to read internal network services and cloud-metadata endpoints, potentially exposing sensitive information like IAM credentials.","title":"Crawl4AI Unauthenticated SSRF in Docker API `crawl/stream` Endpoint","url":"https://feed.craftedsignal.io/briefs/2026-06-crawl4ai-ssrf/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonai (\u003c 4.6.61)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","authentication-bypass","api-exploitation","misconfiguration","container"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA critical authentication bypass exists in PraisonAI, affecting versions prior to 4.6.61. The vulnerability stems from an undocumented \u0026quot;feature\u0026quot; where setting the \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e environment variable completely deactivates authentication for the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint. This misconfiguration is highly likely to be present in production Docker and Docker Compose deployments due to the application's own error messages explicitly advertising this bypass as a convenience option. Attackers can leverage this to gain full unauthenticated access to agent invocation functionalities, enabling them to trigger any registered agent and potentially execute arbitrary actions depending on the agent's configured tools, leading to severe compromise of the host system or connected services.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance\u003c/strong\u003e: An attacker identifies an internet-facing PraisonAI instance, typically deployed via Docker or Docker Compose.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Identification\u003c/strong\u003e: The attacker attempts to interact with the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint without authentication, potentially observing error messages that suggest setting \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e to bypass auth, confirming the misconfiguration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnauthenticated API Call\u003c/strong\u003e: The attacker constructs a \u003ccode\u003ePOST\u003c/code\u003e request to \u003ccode\u003e/api/v1/agents/{agent_id}/invoke\u003c/code\u003e with a malicious payload, targeting a known or guessed agent ID, and sends it to the vulnerable PraisonAI instance without providing any authentication credentials.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Triggering\u003c/strong\u003e: Due to the \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e setting, the PraisonAI server bypasses all authentication checks and processes the unauthenticated request, triggering the specified agent.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution via Agent Tools\u003c/strong\u003e: The activated agent, configured with specific tools (e.g., shell access, Python interpreter, API keys), executes arbitrary actions as dictated by the attacker's payload injected via the \u003ccode\u003einvoke\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImpact\u003c/strong\u003e: This unauthenticated execution leads to consequences such as data exfiltration, remote code execution, system compromise, or further lateral movement within the compromised environment.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of this vulnerability is full unauthenticated access to the PraisonAI agent invocation API. If exploited, an attacker can trigger any registered agent on the server without needing valid credentials. This means that if an agent has been configured with access to sensitive systems or functionalities (e.g., shell command execution, database access, cloud API keys), the attacker can leverage these capabilities to execute arbitrary actions. This can result in data exfiltration, privilege escalation, remote code execution, or complete compromise of the underlying server and connected resources. The ease of exploitation and potential for severe consequences makes this a critical security concern for organizations running affected PraisonAI versions.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update PraisonAI instances to version \u003ccode\u003e4.6.61\u003c/code\u003e or newer to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview all Dockerfiles, Docker Compose configurations, and environment variable settings for PraisonAI deployments to ensure \u003ccode\u003ePRAISONAI_CALL_AUTH=disabled\u003c/code\u003e is not present, or is explicitly set to \u003ccode\u003eenabled\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the provided \u003ccode\u003eDetect PraisonAI Unauthenticated Agent Invocation\u003c/code\u003e Sigma rule to your SIEM to monitor for exploitation attempts against the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eDeploy the provided \u003ccode\u003eDetect PraisonAI PRAISONAI_CALL_AUTH=disabled Misconfiguration\u003c/code\u003e Sigma rule to your EDR/SIEM to identify systems misconfigured with the vulnerable environment variable.\u003c/li\u003e\n\u003cli\u003eImplement strict network access controls to limit access to PraisonAI instances, particularly the \u003ccode\u003e/api/v1/agents/{id}/invoke\u003c/code\u003e API endpoint, to only trusted internal networks or specific services.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:55:58Z","date_published":"2026-06-18T14:55:58Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-auth-bypass/","summary":"A high-severity authentication bypass vulnerability in PraisonAI versions prior to 4.6.61 allows unauthenticated attackers to invoke any registered agent by setting the `PRAISONAI_CALL_AUTH=disabled` environment variable, potentially leading to arbitrary code execution or system compromise.","title":"PraisonAI Authentication Bypass via PRAISONAI_CALL_AUTH=disabled","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Api-Exploitation","version":"https://jsonfeed.org/version/1.1"}