CVE-2026-34936 Overview
CVE-2026-34936 is a Server-Side Request Forgery (SSRF) vulnerability in PraisonAI, a multi-agent teams system. The vulnerability exists in the passthrough() and apassthrough() functions which accept a caller-controlled api_base parameter. This parameter is concatenated with an endpoint and passed directly to httpx.Client.request() when the litellm primary path raises an AttributeError. The implementation lacks URL scheme validation, private IP filtering, or domain allowlist controls, enabling attackers to forge requests to any host reachable from the server.
Critical Impact
Authenticated attackers can leverage this SSRF vulnerability to access internal network resources, cloud metadata services, and sensitive internal APIs from the PraisonAI server, potentially leading to data exfiltration or further compromise of internal infrastructure.
Affected Products
- PraisonAI versions prior to 4.5.90
Discovery Timeline
- 2026-04-03 - CVE CVE-2026-34936 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-34936
Vulnerability Analysis
This SSRF vulnerability (CWE-918) stems from improper input validation in PraisonAI's API passthrough functionality. The passthrough() and apassthrough() functions are designed to forward requests to external API endpoints. However, they accept an api_base parameter directly from user input without proper sanitization or validation.
When the primary litellm code path encounters an AttributeError, the fallback mechanism concatenates the attacker-controlled api_base with the target endpoint and issues an HTTP request via httpx.Client.request(). This design flaw allows attackers to specify arbitrary URLs, including internal network addresses, cloud metadata endpoints (e.g., http://169.254.169.254/), and other sensitive services.
The vulnerability requires low privileges to exploit but can affect resources beyond the vulnerable component's security scope, as the server can be weaponized to probe and interact with internal network infrastructure.
Root Cause
The root cause is insufficient input validation on the api_base parameter in the passthrough functions. The implementation fails to:
- Validate URL schemes (allowing file://, gopher://, or other dangerous protocols)
- Filter requests to private IP ranges (RFC 1918 addresses, localhost, link-local addresses)
- Implement a domain allowlist to restrict outbound requests to trusted endpoints
- Sanitize or normalize the URL before making HTTP requests
Attack Vector
The attack is network-based and can be executed by any authenticated user with access to the PraisonAI API. An attacker supplies a malicious api_base parameter pointing to an internal resource or sensitive endpoint. When the litellm path fails with an AttributeError, the fallback code executes a request to the attacker-specified URL, returning the response to the attacker.
The vulnerability mechanism works as follows: When a user makes a request to the passthrough endpoint with a crafted api_base value such as http://169.254.169.254/latest/meta-data/, the server will fetch cloud instance metadata and return it to the attacker. Similarly, internal services like http://internal-service:8080/api/secrets become accessible through the compromised server. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2026-34936
Indicators of Compromise
- Unusual outbound HTTP requests from the PraisonAI server to internal IP ranges (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints such as 169.254.169.254 originating from the application server
- API calls to the passthrough endpoints with suspicious api_base parameters containing internal hostnames or IP addresses
- Increased error rates or AttributeError exceptions in application logs preceding unusual network activity
Detection Strategies
- Monitor network egress from PraisonAI servers for connections to private IP ranges, localhost, or cloud metadata services
- Implement application-level logging to capture all api_base parameter values submitted to passthrough endpoints
- Deploy Web Application Firewall (WAF) rules to detect and block SSRF payloads in request parameters
- Use network segmentation monitoring to detect unexpected lateral movement from web application servers
Monitoring Recommendations
- Enable verbose logging for the PraisonAI application to capture all API passthrough requests and their parameters
- Set up alerts for network connections from the application server to internal services that should not be directly accessed
- Monitor for increased AttributeError exceptions which may indicate exploitation attempts
- Review access logs for repeated requests to passthrough endpoints from single sources
How to Mitigate CVE-2026-34936
Immediate Actions Required
- Upgrade PraisonAI to version 4.5.90 or later immediately to remediate this vulnerability
- If immediate upgrade is not possible, restrict network access from the PraisonAI server to only required external endpoints
- Review application logs for signs of prior exploitation attempts
- Implement network-level controls to block outbound requests to internal IP ranges from the application server
Patch Information
This vulnerability has been patched in PraisonAI version 4.5.90. The fix implements proper URL validation, scheme restrictions, and private IP filtering for the api_base parameter. Users should upgrade to this version or later to fully remediate the vulnerability. For additional details, see the GitHub Security Advisory.
Workarounds
- Deploy a reverse proxy or WAF in front of PraisonAI to filter requests with suspicious api_base parameter values
- Implement network egress filtering to prevent the PraisonAI server from connecting to internal IP ranges
- Disable or restrict access to the passthrough API endpoints if they are not required for your deployment
- Use network segmentation to isolate the PraisonAI server from sensitive internal services
# Example iptables rules to block outbound connections to private IP ranges
# Apply these on the PraisonAI server to mitigate SSRF attacks
# Block connections to RFC 1918 private address ranges
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
# Block connections to link-local and cloud metadata endpoints
iptables -A OUTPUT -d 169.254.0.0/16 -j DROP
iptables -A OUTPUT -d 127.0.0.0/8 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
