{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/llm-agent/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonaiagents (\u003c= 1.6.48)"],"_cs_severities":["high"],"_cs_tags":["command-injection","llm-agent","imap","email","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA critical command injection vulnerability has been identified in the \u003ccode\u003epraisonaiagents\u003c/code\u003e package, affecting versions up to and including 1.6.48, developed by PraisonAI. This flaw stems from the improper sanitization of LLM-controlled parameters (such as \u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e, and \u003ccode\u003emessage_id\u003c/code\u003e) when constructing IMAP SEARCH commands. Attackers can leverage this by crafting malicious prompts that, when processed by an LLM agent configured with email tools, cause the agent to execute arbitrary IMAP commands on the backend mail server. This vulnerability, actively reported in June 2026, poses a significant risk to organizations using PraisonAI agents with email integration, potentially leading to sensitive data exfiltration, permanent email deletion, or denial-of-service by terminating IMAP sessions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious prompt containing an IMAP command injection payload, such as a double-quote followed by an IMAP command (e.g., \u003ccode\u003e\u0026quot; LOGOUT\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eAn LLM agent, configured with \u003ccode\u003eEMAIL_ADDRESS\u003c/code\u003e and \u003ccode\u003eEMAIL_PASSWORD\u003c/code\u003e environment variables, processes the crafted prompt as part of its normal operation.\u003c/li\u003e\n\u003cli\u003eThe LLM agent calls an internal \u003ccode\u003epraisonaiagents\u003c/code\u003e tool function (e.g., \u003ccode\u003esearch_emails\u003c/code\u003e, \u003ccode\u003ereply_email\u003c/code\u003e, or \u003ccode\u003earchive_email\u003c/code\u003e) passing the malicious input as a parameter (e.g., \u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epraisonaiagents\u003c/code\u003e tool function dynamically constructs an IMAP \u003ccode\u003eSEARCH\u003c/code\u003e command by directly interpolating the unsanitized parameter into an f-string, allowing the attacker's double-quote to prematurely close the legitimate quoted string.\u003c/li\u003e\n\u003cli\u003eThe constructed IMAP command string, now containing an injected IMAP command (e.g., \u003ccode\u003eLOGOUT\u003c/code\u003e, \u003ccode\u003eSELECT INBOX\u003c/code\u003e, \u003ccode\u003eFETCH 1:* (BODY[])\u003c/code\u003e, \u003ccode\u003eDELETE 1:*\u003c/code\u003e, \u003ccode\u003eEXPUNGE\u003c/code\u003e), is sent by the \u003ccode\u003epraisonaiagents\u003c/code\u003e process to the configured IMAP server.\u003c/li\u003e\n\u003cli\u003eThe IMAP server receives the crafted command string, parses it, and executes both the legitimate \u003ccode\u003eSEARCH\u003c/code\u003e portion (if any) and the injected IMAP command.\u003c/li\u003e\n\u003cli\u003eThe injected IMAP command performs an unauthorized action on the IMAP server, such as terminating the IMAP session, switching to another mailbox, fetching email contents, modifying email flags, or deleting messages.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their objective, which could include exfiltrating sensitive email data, causing denial-of-service, or permanently deleting emails from the compromised mailbox.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability grants attackers significant control over the configured IMAP mailbox. Attackers can terminate IMAP connections, causing a denial-of-service against the agent's email capabilities. More critically, arbitrary IMAP commands can be injected, allowing the attacker to enumerate mailboxes (LIST), switch to different folders (SELECT), fetch the contents of any email (FETCH), modify email flags (STORE), move emails (COPY/MOVE), or permanently delete emails (DELETE/EXPUNGE). This leads to unauthorized email data exfiltration from potentially all accessible mailboxes, or catastrophic data loss through permanent deletion of email archives. The attack specifically targets email-capable agents deployed with the documented \u003ccode\u003eEMAIL_ADDRESS\u003c/code\u003e and \u003ccode\u003eEMAIL_PASSWORD\u003c/code\u003e environment variables, indicating a direct threat to sensitive communications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately update the \u003ccode\u003epraisonaiagents\u003c/code\u003e package to a version greater than 1.6.48 (when available) or apply the recommended remediation of properly escaping double-quote characters or using IMAP literal syntax for all user-controlled parameters (\u003ccode\u003efrom_addr\u003c/code\u003e, \u003ccode\u003esubject\u003c/code\u003e, \u003ccode\u003equery\u003c/code\u003e, \u003ccode\u003esearch_id\u003c/code\u003e, \u003ccode\u003emessage_id\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eMonitor IMAP server logs for suspicious commands, specifically looking for unexpected IMAP keywords (e.g., \u003ccode\u003eLOGOUT\u003c/code\u003e, \u003ccode\u003eSELECT\u003c/code\u003e, \u003ccode\u003eFETCH\u003c/code\u003e, \u003ccode\u003eDELETE\u003c/code\u003e, \u003ccode\u003eEXPUNGE\u003c/code\u003e) embedded within \u003ccode\u003eSEARCH\u003c/code\u003e criteria, as outlined in the Sigma rules above.\u003c/li\u003e\n\u003cli\u003eEnsure IMAP server logging is enabled and captures full commands and arguments, which is essential to activate the Sigma rules in this brief.\u003c/li\u003e\n\u003cli\u003eRestrict the permissions of the IMAP account used by \u003ccode\u003epraisonaiagents\u003c/code\u003e to the bare minimum necessary for its operations (e.g., read-only access to specific folders).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T15:08:53Z","date_published":"2026-06-18T15:08:53Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/","summary":"A command injection vulnerability (CVE-NONE) exists in PraisonAI's `praisonaiagents` package (versions \u003c= 1.6.48) where unsanitized LLM-controlled parameters are directly interpolated into IMAP SEARCH commands, allowing attackers to craft malicious prompts to inject arbitrary IMAP commands, leading to unauthorized email exfiltration, deletion, or denial-of-service when email tools are configured.","title":"PraisonAI: IMAP Command Injection via Unsanitized Email Search Parameters","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":true,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["praisonaiagents (\u003c 1.6.61)"],"_cs_severities":["high"],"_cs_tags":["ssrf","llm-agent","prompt-injection","praisonai","python","ghsa"],"_cs_type":"threat","_cs_vendors":["PraisonAI"],"content_html":"\u003cp\u003eA significant Server-Side Request Forgery (SSRF) vulnerability has been identified in PraisonAI's \u003ccode\u003epraisonaiagents\u003c/code\u003e package, affecting versions prior to 1.6.61. This flaw stems from a lack of validation on the \u003ccode\u003esearxng_url\u003c/code\u003e parameter within the \u003ccode\u003esearxng_search\u003c/code\u003e and \u003ccode\u003esearch_web\u003c/code\u003e tools, which are part of the default agent toolset. Attackers can leverage prompt injection techniques to manipulate the \u003ccode\u003esearxng_url\u003c/code\u003e parameter, forcing the agent's underlying \u003ccode\u003erequests.get()\u003c/code\u003e function to make unvalidated HTTP requests to internal systems. This allows for reading responses from internal services and APIs, performing internal network enumeration, and potentially accessing cloud instance metadata endpoints (e.g., 169.254.169.254) to expose sensitive IAM credentials or other system information. The vulnerability does not require misconfiguration and is directly exploitable through attacker-controlled content ingested by the agent.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eAttacker Crafts Malicious Content\u003c/strong\u003e: An attacker embeds a carefully constructed prompt into content (e.g., a web page, file, or chat message) that an \u003ccode\u003epraisonaiagents\u003c/code\u003e LLM agent is likely to ingest.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Ingests Malicious Prompt\u003c/strong\u003e: The \u003ccode\u003epraisonaiagents\u003c/code\u003e LLM agent processes the attacker-controlled content, which includes instructions designed to coerce it into calling its \u003ccode\u003esearch_web\u003c/code\u003e or \u003ccode\u003esearxng_search\u003c/code\u003e tool.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAgent Calls Tool with Malicious Parameter\u003c/strong\u003e: Triggered by the prompt, the agent invokes \u003ccode\u003esearch_web(...)\u003c/code\u003e or \u003ccode\u003esearxng_search(...)\u003c/code\u003e, passing an attacker-specified internal URL (e.g., \u003ccode\u003ehttp://127.0.0.1:19998/admin/secrets\u003c/code\u003e or \u003ccode\u003ehttp://169.254.169.254/latest/meta-data/\u003c/code\u003e) as the \u003ccode\u003esearxng_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eUnvalidated HTTP Request Made\u003c/strong\u003e: The Python code within \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/searxng_tools.py\u003c/code\u003e or \u003ccode\u003esrc/praisonai-agents/praisonaiagents/tools/web_search.py\u003c/code\u003e receives the \u003ccode\u003esearxng_url\u003c/code\u003e and uses it directly in \u003ccode\u003erequests.get()\u003c/code\u003e without any scheme, host, or port validation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eServer Performs Internal Request\u003c/strong\u003e: The server hosting the \u003ccode\u003epraisonaiagents\u003c/code\u003e instance attempts to connect to the specified internal endpoint, effectively turning the agent into a proxy for the attacker.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eInternal Response Captured and Returned\u003c/strong\u003e: If the internal endpoint responds, its HTTP response body is captured by the agent tool, parsed (specifically for a JSON \u003ccode\u003eresults\u003c/code\u003e key), and returned into the agent's context.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration/Enumeration\u003c/strong\u003e: The attacker can then coerce the agent (via further prompt injection or subsequent tool calls) to exfiltrate the captured internal data or to continue enumerating internal services based on error responses from closed ports.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Exposure\u003c/strong\u003e: In cloud environments, successful access to the instance metadata endpoint (\u003ccode\u003e169.254.169.254\u003c/code\u003e) can lead to the exposure of IAM role credentials, allowing for further compromise of cloud resources.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis SSRF vulnerability significantly compromises the security of \u003ccode\u003epraisonaiagents\u003c/code\u003e deployments. Any agent configured with the default \u003ccode\u003esearch_web\u003c/code\u003e tool and capable of ingesting untrusted content (such as browsing the web, reading files, or processing external messages) is at risk. Attackers can gain unauthorized access to internal services and APIs, potentially reading sensitive data from administration panels or internal microservices that return JSON. The ability to distinguish between open and closed internal ports allows for comprehensive internal network enumeration, mapping out the internal infrastructure. Crucially, the reachability of cloud instance metadata endpoints (e.g., AWS IMDS) presents a high risk of IAM credential theft, which could lead to full compromise of the cloud environment. There are no known instances of active exploitation in the wild, but the existence of a public PoC increases the likelihood of future attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch \u003ccode\u003epraisonaiagents\u003c/code\u003e immediately\u003c/strong\u003e: Upgrade the \u003ccode\u003epraisonaiagents\u003c/code\u003e package to version 1.6.61 or later to remediate CVE-2026-XXXX.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma rules\u003c/strong\u003e: Implement the provided Sigma rules (\u003ccode\u003eDetect Outbound PraisonAI Connections to Internal/Metadata IPs\u003c/code\u003e and \u003ccode\u003eDetect PraisonAI Process Execution\u003c/code\u003e) into your SIEM to identify suspicious activity.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement egress filtering\u003c/strong\u003e: Configure network egress filtering at the host or network perimeter to block \u003ccode\u003epraisonaiagents\u003c/code\u003e processes from initiating connections to RFC1918 private IP ranges and the cloud instance metadata IP \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMonitor outbound network connections\u003c/strong\u003e: Enable detailed logging for all outbound network connections from systems running \u003ccode\u003epraisonaiagents\u003c/code\u003e to detect anomalous destinations, especially the IP address \u003ccode\u003e169.254.169.254\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-06-18T14:56:56Z","date_published":"2026-06-18T14:56:56Z","id":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/","summary":"A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.","title":"PraisonAI: Server-Side Request Forgery (SSRF) in SearxNG / search_web Tools via Attacker-Controlled searxng_url Parameter","url":"https://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/"}],"language":"en","title":"CraftedSignal Threat Feed - Llm-Agent","version":"https://jsonfeed.org/version/1.1"}