CVE-2026-40160 Overview
CVE-2026-40160 is a Server-Side Request Forgery (SSRF) vulnerability in PraisonAIAgents, a multi-agent teams system. Prior to version 1.5.128, the web_crawl function's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. This allows an LLM agent tricked into crawling an internal URL to reach cloud metadata endpoints, internal services, and localhost resources.
Critical Impact
An attacker can leverage this SSRF vulnerability to access sensitive cloud metadata endpoints (169.254.169.254), internal network services, and localhost resources. Response content is returned to the agent and may appear in output visible to the attacker, enabling information disclosure from protected internal systems.
Affected Products
- PraisonAIAgents versions prior to 1.5.128
- Default installations without Tavily key configured
- Installations without Crawl4AI installed (using httpx fallback path)
Discovery Timeline
- 2026-04-10 - CVE-2026-40160 published to NVD
- 2026-04-13 - Last updated in NVD database
Technical Details for CVE-2026-40160
Vulnerability Analysis
This vulnerability is classified as CWE-918 (Server-Side Request Forgery). The root issue lies in the web_crawl function's fallback mechanism when neither Tavily nor Crawl4AI are available. In this default configuration on fresh PraisonAI installations, the code uses httpx.AsyncClient.get() to fetch URLs without any validation of the target host.
The attack requires network access and some user interaction, as an LLM agent must be tricked into processing a malicious URL. However, once exploited, the vulnerability provides high confidentiality impact on both the vulnerable system and subsequent systems, with limited integrity impact on downstream systems.
Root Cause
The vulnerability stems from insufficient input validation in the httpx fallback crawl path. The web_crawl function accepts user-supplied URLs and passes them directly to the HTTP client without implementing any allowlist or blocklist for target hosts. Combined with follow_redirects=True, this allows attackers to redirect requests to arbitrary internal endpoints.
The absence of host validation means the application will happily make requests to:
- Cloud metadata services at 169.254.169.254
- Internal network services on private IP ranges
- Localhost services on 127.0.0.1
Attack Vector
The attack is network-based and exploits the trust relationship between the LLM agent and the web_crawl function. An attacker can craft prompts or inject content that causes the LLM agent to request internal URLs through the vulnerable crawl function.
A typical attack scenario involves:
- The attacker crafts input that tricks the LLM agent into crawling a URL pointing to http://169.254.169.254/latest/meta-data/
- The httpx fallback path makes the request without validation
- Cloud metadata (including potential IAM credentials) is returned to the agent
- The response content appears in output accessible to the attacker
For technical details and the specific code paths involved, see the GitHub Security Advisory.
Detection Methods for CVE-2026-40160
Indicators of Compromise
- Outbound HTTP requests from the PraisonAI application to internal IP addresses (10.x.x.x, 172.16.x.x-172.31.x.x, 192.168.x.x)
- Requests to cloud metadata endpoints at 169.254.169.254
- Unusual requests to localhost (127.0.0.1) from the application process
- HTTP traffic patterns showing redirects from external URLs to internal targets
Detection Strategies
- Monitor network traffic from PraisonAI instances for connections to RFC1918 private addresses
- Implement alerting for any requests to the AWS/GCP/Azure metadata service IP (169.254.169.254)
- Log and analyze all URLs processed by the web_crawl function
- Deploy network segmentation to detect lateral movement attempts from AI agent servers
Monitoring Recommendations
- Enable verbose logging for httpx client requests in PraisonAI deployments
- Configure SIEM rules to alert on metadata endpoint access patterns
- Monitor for unusual data volumes in LLM agent outputs that may indicate successful SSRF exploitation
- Implement egress filtering and log all denied connection attempts from application servers
How to Mitigate CVE-2026-40160
Immediate Actions Required
- Upgrade PraisonAIAgents to version 1.5.128 or later immediately
- If immediate upgrade is not possible, configure a Tavily API key or install Crawl4AI to avoid the vulnerable httpx fallback path
- Implement network-level controls to block outbound requests to internal IP ranges and metadata endpoints from AI agent servers
- Review logs for any historical evidence of SSRF exploitation
Patch Information
The vulnerability is fixed in PraisonAIAgents version 1.5.128. The fix implements proper host validation to prevent requests to internal addresses and cloud metadata endpoints. For detailed patch information, refer to the GitHub Security Advisory.
Workarounds
- Deploy network firewall rules to block outbound connections from PraisonAI servers to internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16)
- Block all connections to the metadata service IP 169.254.169.254 at the network level
- Configure a Tavily API key to bypass the vulnerable httpx fallback code path
- Install Crawl4AI as an alternative crawling backend that may include its own validation
# Network-level mitigation: Block metadata and internal access with iptables
# Block cloud metadata endpoint
iptables -A OUTPUT -d 169.254.169.254 -j DROP
# Block private IP ranges (example for 10.x.x.x)
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
# Upgrade to patched version
pip install --upgrade praisonaiagents>=1.5.128
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
