CVE-2026-34954
published 2026-04-03CVE-2026-34954: PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no…
PriorityP353high8.6CVSS 3.1
AVNACLPRNUINSCCHINAN
EPSS
0.40%
32.3th percentile
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | < 1.5.95 | 1.5.95 |
| mervinpraison | praisonaiagents | >= 0 < 1.5.95 | 1.5.95 |
| praison | praisonaiagents | < 1.5.95 | 1.5.95 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
osv·2026-04-01
CVE-2026-34954 [HIGH] PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
### Summary
`FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.
### Details
`file_tools.py:259` (source) -> `file_tools.py:296` (sink)
```python
# source -- url taken directly from caller, no validation
def download_file(self, url: str, destination: str, ...):
# sink -- unvalidated url passed to httpx with redirect following
with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response:
```
### PoC
```bash
# t
GHSA
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
ghsa·2026-04-01
CVE-2026-34954 [HIGH] CWE-918 PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
PraisonAI Has SSRF in FileTools.download_file() via Unvalidated URL
### Summary
`FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services.
### Details
`file_tools.py:259` (source) -> `file_tools.py:296` (sink)
```python
# source -- url taken directly from caller, no validation
def download_file(self, url: str, destination: str, ...):
# sink -- unvalidated url passed to httpx with redirect following
with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response:
```
### PoC
```bash
# t
No detection rules found.
No public exploits indexed.
2026-04-03
Published