CVE-2026-34954 Overview
CVE-2026-34954 is a Server-Side Request Forgery (SSRF) vulnerability affecting PraisonAI, a multi-agent teams system. The vulnerability exists in the FileTools.download_file() function within the praisonaiagents component, where the URL parameter is passed directly to httpx.stream() without proper validation. With follow_redirects=True enabled, an attacker who controls the URL input can force the server to make requests to arbitrary internal or external hosts, including cloud metadata services and internal network endpoints.
Critical Impact
Attackers can exploit this SSRF vulnerability to access sensitive cloud metadata services (such as AWS IMDSv1 at 169.254.169.254), probe internal network infrastructure, and potentially exfiltrate credentials or sensitive configuration data from services not intended to be publicly accessible.
Affected Products
- PraisonAI versions prior to 1.5.95
- praisonaiagents component with FileTools.download_file() function
Discovery Timeline
- 2026-04-03 - CVE-2026-34954 published to NVD
- 2026-04-09 - Last updated in NVD database
Technical Details for CVE-2026-34954
Vulnerability Analysis
This vulnerability stems from missing input validation on user-controlled URL parameters in the FileTools.download_file() function. While the function properly validates the destination path to prevent directory traversal attacks, it fails to apply any filtering or validation to the URL parameter before passing it to the HTTP client library.
The httpx.stream() function is called with follow_redirects=True, which further amplifies the attack surface. An attacker can craft a malicious URL that initially points to an allowed domain but redirects to internal services, effectively bypassing any superficial URL checks that might exist elsewhere in the application.
The scope change in this vulnerability means that an attacker can compromise systems beyond the vulnerable application itself—reaching cloud provider metadata endpoints, internal APIs, database administration interfaces, and other network-adjacent services that rely on network segmentation for security.
Root Cause
The root cause is CWE-918 (Server-Side Request Forgery). The FileTools.download_file() function accepts an attacker-controlled URL parameter and uses it directly in an HTTP request without implementing URL validation, allowlist checking, or blocking of private IP address ranges. The combination of no URL sanitization and automatic redirect following creates a complete SSRF attack vector.
Attack Vector
This vulnerability is exploitable over the network without requiring authentication or user interaction. An attacker can supply a malicious URL pointing to internal resources such as:
- Cloud metadata services (e.g., http://169.254.169.254/latest/meta-data/)
- Internal network services on private IP ranges (10.x.x.x, 172.16.x.x, 192.168.x.x)
- Localhost services running on the server (127.0.0.1)
- Internal DNS names that resolve to private infrastructure
The vulnerability allows attackers to request the server to download files from any URL the server can reach, with responses potentially containing sensitive data such as cloud credentials, API keys, or internal service information.
For technical implementation details and proof-of-concept information, refer to the GitHub Security Advisory for GHSA-44c2-3rw4-5gvh.
Detection Methods for CVE-2026-34954
Indicators of Compromise
- Outbound HTTP requests from the PraisonAI server to cloud metadata service endpoints (169.254.169.254, 169.254.170.2)
- HTTP requests targeting internal IP address ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) from the application
- Unusual outbound connections to localhost or loopback addresses (127.0.0.0/8)
- Requests to uncommon ports typically associated with internal services (e.g., database ports, admin interfaces)
Detection Strategies
- Monitor application logs for FileTools.download_file() calls with URLs targeting private IP ranges or localhost
- Implement network-level detection for outbound requests from application servers to cloud metadata endpoints
- Deploy web application firewall (WAF) rules to inspect and block SSRF payloads in URL parameters
- Use DNS logging to identify resolution of internal hostnames triggered by the application
Monitoring Recommendations
- Enable detailed HTTP request logging for the praisonaiagents component to capture all download URL parameters
- Configure cloud security groups to block metadata service access from application instances where not required
- Implement egress filtering and logging to detect unauthorized internal network reconnaissance
- Set up alerts for any requests to the IMDSv1 endpoint from application workloads
How to Mitigate CVE-2026-34954
Immediate Actions Required
- Upgrade PraisonAI to version 1.5.95 or later immediately to remediate this vulnerability
- Audit application logs for evidence of exploitation attempts targeting internal URLs or metadata services
- Review network egress rules and restrict outbound connections from PraisonAI servers to only necessary external endpoints
- If running in cloud environments, disable IMDSv1 and enforce IMDSv2 with hop limits to reduce SSRF impact
Patch Information
PraisonAI has addressed this vulnerability in version 1.5.95. The patch introduces URL validation to the FileTools.download_file() function to prevent requests to internal networks and sensitive endpoints. Users should update to version 1.5.95 or later as soon as possible.
For complete patch details, see the PraisonAI Security Advisory.
Workarounds
- Implement network-level controls to block application server access to cloud metadata services and internal network ranges
- Deploy a forward proxy that validates and filters outbound HTTP requests from the application
- Restrict DNS resolution for the application to prevent resolution of internal hostnames
- If possible, disable or restrict access to the FileTools.download_file() functionality until patching is complete
# Example: Block metadata service access using iptables (Linux)
# Apply on PraisonAI server to prevent SSRF to cloud metadata endpoints
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 169.254.170.2 -j DROP
# Block access to common internal IP ranges
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -p tcp --dport 443 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -p tcp --dport 80 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
