cbcvebase.
CVE-2026-47390
published 2026-05-29

CVE-2026-47390: PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings ### Summary PraisonAI's `spider_tools` URL validation can be bypassed using…

medium
PraisonAI spider_tools SSRF protection bypass via alternate loopback host encodings

### Summary

PraisonAI's `spider_tools` URL validation can be bypassed using alternate loopback host encodings.

The affected component is:

```text
praisonaiagents/tools/spider_tools.py
````

The tool contains a URL validation function intended to block local or unsafe targets before fetching attacker-controlled URLs. However, the validation only blocks a small set of exact host strings such as `localhost` and `127.0.0.1`.

It does not normalize hostnames, resolve DNS, parse numeric IPv4 variants, or validate the final resolved IP address before making the request.

As a result, URLs such as the following bypass the protection and still reach loopback services:

```text
http://localhost.:8765/
http://127.1:8765/
http://0177.0.0.1:8765/
http://0x7f000001:8765/
http://2130706433:8765/
```

After the weak validation passes, `scrape_page()` calls `requests.Session.get()` on the attacker-controlled URL. This allows an attacker who can influence URLs passed to `scrape_page`, `crawl`, or `extract_text` to induce SSRF requests against loopback-only services.

This is a server-side request forgery protection bypass.

### Details

The affected code is in:

```text
praisonaiagents/tools/spider_tools.py
```

The vulnerable flow is:

```text
attacker-controlled URL
-> spider_tools._validate_url(...)
-> weak exact-host blocklist check
-> validation passes for alternate loopback encodings
-> scrape_page(...)
-> requests.Session.get(attacker_url)
-> loopback service is reached
```

The validation appears to block only exact local hostnames or exact IPv4 strings. For example, it blocks simple forms such as:

```text
localhost
127.0.0.1
```

However, equivalent loopback forms are not rejected before the request is made.

Confirmed bypass examples:

```text
http://localhost.:8765/
http://127.1:8765/
http://0177.0.0.1:8765/
http://0x7f000001:8765/
http://2130706433:8765/
```

These values can resolve 

Affected

3 ranges
VendorProductVersion rangeFixed in
mervinpraisonpraisonai>= 0 < 4.6.404.6.40
mervinpraisonpraisonaiagents>= 0 < 1.6.401.6.40
mervinpraisonpraisonaiagents>= 0 < 1.6.591.6.59
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.