https://feed.craftedsignal.io/tags/llm-agent/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 18 Jun 2026 15:08:53 +0000https://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/Thu, 18 Jun 2026 15:08:53 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-praisonai-imap-injection/A command injection vulnerability (CVE-NONE) exists in PraisonAI's `praisonaiagents` package (versions <= 1.6.48) where unsanitized LLM-controlled parameters are directly interpolated into IMAP SEARCH commands, allowing attackers to craft malicious prompts to inject arbitrary IMAP commands, leading to unauthorized email exfiltration, deletion, or denial-of-service when email tools are configured.A critical command injection vulnerability has been identified in the praisonaiagents package, affecting versions up to and including 1.6.48, developed by PraisonAI. This flaw stems from the improper sanitization of LLM-controlled parameters (such as from_addr, subject, query, search_id, and message_id) when constructing IMAP SEARCH commands. Attackers can leverage this by crafting malicious prompts that, when processed by an LLM agent configured with email tools, cause the agent to execute arbitrary IMAP commands on the backend mail server. This vulnerability, actively reported in June 2026, poses a significant risk to organizations using PraisonAI agents with email integration, potentially leading to sensitive data exfiltration, permanent email deletion, or denial-of-service by terminating IMAP sessions.

Attack Chain

1. An attacker crafts a malicious prompt containing an IMAP command injection payload, such as a double-quote followed by an IMAP command (e.g., " LOGOUT).
2. An LLM agent, configured with EMAIL_ADDRESS and EMAIL_PASSWORD environment variables, processes the crafted prompt as part of its normal operation.
3. The LLM agent calls an internal praisonaiagents tool function (e.g., search_emails, reply_email, or archive_email) passing the malicious input as a parameter (e.g., from_addr, subject, query, search_id).
4. The praisonaiagents tool function dynamically constructs an IMAP SEARCH command by directly interpolating the unsanitized parameter into an f-string, allowing the attacker's double-quote to prematurely close the legitimate quoted string.
5. The constructed IMAP command string, now containing an injected IMAP command (e.g., LOGOUT, SELECT INBOX, FETCH 1:* (BODY[]), DELETE 1:*, EXPUNGE), is sent by the praisonaiagents process to the configured IMAP server.
6. The IMAP server receives the crafted command string, parses it, and executes both the legitimate SEARCH portion (if any) and the injected IMAP command.
7. The injected IMAP command performs an unauthorized action on the IMAP server, such as terminating the IMAP session, switching to another mailbox, fetching email contents, modifying email flags, or deleting messages.
8. The attacker achieves their objective, which could include exfiltrating sensitive email data, causing denial-of-service, or permanently deleting emails from the compromised mailbox.

Impact

Successful exploitation of this vulnerability grants attackers significant control over the configured IMAP mailbox. Attackers can terminate IMAP connections, causing a denial-of-service against the agent's email capabilities. More critically, arbitrary IMAP commands can be injected, allowing the attacker to enumerate mailboxes (LIST), switch to different folders (SELECT), fetch the contents of any email (FETCH), modify email flags (STORE), move emails (COPY/MOVE), or permanently delete emails (DELETE/EXPUNGE). This leads to unauthorized email data exfiltration from potentially all accessible mailboxes, or catastrophic data loss through permanent deletion of email archives. The attack specifically targets email-capable agents deployed with the documented EMAIL_ADDRESS and EMAIL_PASSWORD environment variables, indicating a direct threat to sensitive communications.

Recommendation

• Immediately update the praisonaiagents package to a version greater than 1.6.48 (when available) or apply the recommended remediation of properly escaping double-quote characters or using IMAP literal syntax for all user-controlled parameters (from_addr, subject, query, search_id, message_id).
• Monitor IMAP server logs for suspicious commands, specifically looking for unexpected IMAP keywords (e.g., LOGOUT, SELECT, FETCH, DELETE, EXPUNGE) embedded within SEARCH criteria, as outlined in the Sigma rules above.
• Ensure IMAP server logging is enabled and captures full commands and arguments, which is essential to activate the Sigma rules in this brief.
• Restrict the permissions of the IMAP account used by praisonaiagents to the bare minimum necessary for its operations (e.g., read-only access to specific folders).

]]>highadvisorycommand-injectionllm-agentimapemaildata-exfiltrationhttps://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/Thu, 18 Jun 2026 14:56:56 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-06-praisonai-ssrf/A Server-Side Request Forgery (SSRF) vulnerability in PraisonAI's `praisonaiagents` package (versions prior to 1.6.61), specifically within the `searxng_search` and `search_web` tools, allows an attacker to exploit prompt injection by controlling the `searxng_url` parameter, enabling the server to make requests to arbitrary internal endpoints, read responses, perform network enumeration, and potentially expose cloud instance credentials.A significant Server-Side Request Forgery (SSRF) vulnerability has been identified in PraisonAI's praisonaiagents package, affecting versions prior to 1.6.61. This flaw stems from a lack of validation on the searxng_url parameter within the searxng_search and search_web tools, which are part of the default agent toolset. Attackers can leverage prompt injection techniques to manipulate the searxng_url parameter, forcing the agent's underlying requests.get() function to make unvalidated HTTP requests to internal systems. This allows for reading responses from internal services and APIs, performing internal network enumeration, and potentially accessing cloud instance metadata endpoints (e.g., 169.254.169.254) to expose sensitive IAM credentials or other system information. The vulnerability does not require misconfiguration and is directly exploitable through attacker-controlled content ingested by the agent.

Attack Chain

1. Attacker Crafts Malicious Content: An attacker embeds a carefully constructed prompt into content (e.g., a web page, file, or chat message) that an praisonaiagents LLM agent is likely to ingest.
2. Agent Ingests Malicious Prompt: The praisonaiagents LLM agent processes the attacker-controlled content, which includes instructions designed to coerce it into calling its search_web or searxng_search tool.
3. Agent Calls Tool with Malicious Parameter: Triggered by the prompt, the agent invokes search_web(...) or searxng_search(...), passing an attacker-specified internal URL (e.g., http://127.0.0.1:19998/admin/secrets or http://169.254.169.254/latest/meta-data/) as the searxng_url parameter.
4. Unvalidated HTTP Request Made: The Python code within src/praisonai-agents/praisonaiagents/tools/searxng_tools.py or src/praisonai-agents/praisonaiagents/tools/web_search.py receives the searxng_url and uses it directly in requests.get() without any scheme, host, or port validation.
5. Server Performs Internal Request: The server hosting the praisonaiagents instance attempts to connect to the specified internal endpoint, effectively turning the agent into a proxy for the attacker.
6. Internal Response Captured and Returned: If the internal endpoint responds, its HTTP response body is captured by the agent tool, parsed (specifically for a JSON results key), and returned into the agent's context.
7. Data Exfiltration/Enumeration: The attacker can then coerce the agent (via further prompt injection or subsequent tool calls) to exfiltrate the captured internal data or to continue enumerating internal services based on error responses from closed ports.
8. Credential Exposure: In cloud environments, successful access to the instance metadata endpoint (169.254.169.254) can lead to the exposure of IAM role credentials, allowing for further compromise of cloud resources.

Impact

This SSRF vulnerability significantly compromises the security of praisonaiagents deployments. Any agent configured with the default search_web tool and capable of ingesting untrusted content (such as browsing the web, reading files, or processing external messages) is at risk. Attackers can gain unauthorized access to internal services and APIs, potentially reading sensitive data from administration panels or internal microservices that return JSON. The ability to distinguish between open and closed internal ports allows for comprehensive internal network enumeration, mapping out the internal infrastructure. Crucially, the reachability of cloud instance metadata endpoints (e.g., AWS IMDS) presents a high risk of IAM credential theft, which could lead to full compromise of the cloud environment. There are no known instances of active exploitation in the wild, but the existence of a public PoC increases the likelihood of future attacks.

Recommendation

• Patch praisonaiagents immediately: Upgrade the praisonaiagents package to version 1.6.61 or later to remediate CVE-2026-XXXX.
• Deploy Sigma rules: Implement the provided Sigma rules (Detect Outbound PraisonAI Connections to Internal/Metadata IPs and Detect PraisonAI Process Execution) into your SIEM to identify suspicious activity.
• Implement egress filtering: Configure network egress filtering at the host or network perimeter to block praisonaiagents processes from initiating connections to RFC1918 private IP ranges and the cloud instance metadata IP 169.254.169.254.
• Monitor outbound network connections: Enable detailed logging for all outbound network connections from systems running praisonaiagents to detect anomalous destinations, especially the IP address 169.254.169.254.

]]>highthreatssrfllm-agentprompt-injectionpraisonaipythonghsa