CVE-2026-40160
CVE-2026-40160 is a medium-severity vulnerability in Praison Praisonaiagents with a CVSS 3.x base score of 6.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-918.
Key facts
- Severity: Medium (CVSS 3.x base score 6.5)
- CVSS v4: 7.1
- EPSS exploit prediction: 0% (20th percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-21513
- Weakness: CWE-918
- Affected product: Praison Praisonaiagents
- Published:
- Last modified:
Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
Frequently asked questions
- What is CVE-2026-40160?
- PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
- How severe is CVE-2026-40160?
- CVE-2026-40160 has a CVSS 3.x base score of 6.5, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2026-40160 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (20th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2026-40160?
- CVE-2026-40160 affects Praison Praisonaiagents. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2026-40160?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-40160 have an EU (EUVD) identifier?
- Yes. CVE-2026-40160 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-21513.
- When was CVE-2026-40160 published?
- CVE-2026-40160 was published on 2026-04-10 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:praison:praisonaiagents:*:*:*:*:*:*:*:*
More vulnerabilities in Praison Praisonaiagents
- CVE-2026-34938 — Critical (CVSS 10.0): PraisonAI is a multi-agent teams system. Prior to version 1.5.90, execute_code() in praisonai-agents runs…
- CVE-2026-44335 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. Prior to version 1.6.32, the URL checking logic in PraisonAI has a logical…
- CVE-2026-40288 — Critical (CVSS 9.8): PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the…
- CVE-2026-40289 — Critical (CVSS 9.1): PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the…
- CVE-2026-40111 — High (CVSS 8.8): PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, he memory hooks executor in praisonaiagents passes a…
- CVE-2026-44339 — High (CVSS 8.6): PraisonAI is a multi-agent teams system. Prior to praisonai version 4.6.37 and praisonaiagents version 1.6.37,…
All CVEs affecting Praison Praisonaiagents →
Other CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities
- CVE-2026-47938 — Critical (CVSS 10.0): Adobe Campaign Classic (ACC) versions 7.4.3 build 9394 and earlier are affected by a Server-Side Request Forgery (SSRF)…
- CVE-2026-35431 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Entra ID Entitlement Management allows an unauthorized attacker to…
- CVE-2026-32186 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Microsoft Bing allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-33107 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Databricks allows an unauthorized attacker to elevate privileges over a…
- CVE-2026-32871 — Critical (CVSS 10.0): FastMCP is a Pythonic way to build MCP servers and clients. Prior to version 3.2.0, the OpenAPIProvider in FastMCP…
- CVE-2026-32169 — Critical (CVSS 10.0): Server-side request forgery (ssrf) in Azure Cloud Shell allows an unauthorized attacker to elevate privileges over a…
Browse all CWE-918 (Server-Side Request Forgery (SSRF)) vulnerabilities →