CVE-2026-47395
published 2026-05-29CVE-2026-47395: PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context ### Summary PraisonAI's direct-prompt CLI…
medium
PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
### Summary
PraisonAI's direct-prompt CLI automatically expands `@url:` mentions in raw prompt text before agent execution begins.
If a prompt contains `@url:`, the CLI calls `MentionsParser.process(...)`. The `@url:` handler then performs a direct `urllib.request.urlopen()` request to the attacker-controlled URL and returns the response body. That response body is prepended to the final model prompt context.
There is no loopback/private-address restriction, no metadata-service restriction, and no approval gate before the fetch.
As a result, attacker-influenced prompt text can cause the operator's machine to fetch localhost-only HTTP resources and inject the response into model context.
Example:
```text
@url:http://localhost.:8766/ summarize this
````
This causes PraisonAI to make an HTTP request to the local machine and prepend the fetched response body to the prompt that the model receives.
This is a narrow local SSRF / local content disclosure issue in automatic prompt preprocessing. It is not a remote server takeover.
### Details
The affected direct-prompt CLI path is in:
```text
src/praisonai/praisonai/cli/main.py
```
The CLI imports and instantiates `MentionsParser` on the direct prompt path:
```python
from praisonaiagents.tools.mentions import MentionsParser
parser = MentionsParser(workspace_path=os.getcwd())
if parser.has_mentions(prompt):
mention_context, prompt = parser.process(prompt)
if mention_context:
prompt = f"{mention_context}# Task:\n{prompt}"
```
This means raw prompt text is interpreted as a mention language before query rewriting, prompt expansion, tool execution, or LLM invocation.
The affected mention implementation is in:
```text
src/praisonai-agents/praisonaiagents/tools/mentions.py
```
`@url:` is a first-class mention type:
```python
PATTERNS = {
"file": re.compile(r'@file:([^\s]+)'),
"web": re.compile(r'@webAffected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonaiagents | >= 0 < 1.6.40 | 1.6.40 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-29
Published