cbcvebase.
CVE-2026-47395
published 2026-05-29

CVE-2026-47395: PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context ### Summary PraisonAI's direct-prompt CLI…

medium
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context

### Summary

PraisonAI's direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins.

If a prompt contains `@url:`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a direct `urllib.request.urlopen()` request to the attacker-controlled URL and returns the response body. That response body is prepended to the final model prompt context.

There is no loopback/private-address restriction, no metadata-service restriction, and no approval gate before the fetch.

As a result, attacker-influenced prompt text can cause the operator's machine to fetch localhost-only HTTP resources and inject the response into model context.

Example:

```text
@url:http://localhost.:8766/ summarize this
````

This causes PraisonAI to make an HTTP request to the local machine and prepend the fetched response body to the prompt that the model receives.

This is a narrow local SSRF / local content disclosure issue in automatic prompt preprocessing. It is not a remote server takeover.

### Details

The affected direct-prompt CLI path is in:

```text
src/praisonai/praisonai/cli/main.py
```

The CLI imports and instantiates `MentionsParser` on the direct prompt path:

```python
from praisonaiagents.tools.mentions import MentionsParser

parser = MentionsParser(workspace_path=os.getcwd())

if parser.has_mentions(prompt):
mention_context, prompt = parser.process(prompt)

if mention_context:
prompt = f"{mention_context}# Task:\n{prompt}"
```

This means raw prompt text is interpreted as a mention language before query rewriting, prompt expansion, tool execution, or LLM invocation.

The affected mention implementation is in:

```text
src/praisonai-agents/praisonaiagents/tools/mentions.py
```

`@url:` is a first-class mention type:

```python
PATTERNS = {
"file": re.compile(r'@file:([^\s]+)'),
"web": re.compile(r'@web

Affected

2 ranges
VendorProductVersion rangeFixed in
mervinpraisonpraisonai>= 0 < 4.6.404.6.40
mervinpraisonpraisonaiagents>= 0 < 1.6.401.6.40
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.