CVE-2026-34936: PraisonAI: SSRF via api_base steals cloud IAM credentials

GHSA-x6m9-gxvr-7jpv HIGH CISA: TRACK*
Published April 1, 2026
CISO Take

Any praisonai deployment on cloud infrastructure with IMDSv1 enabled is at immediate risk of IAM credential theft—patch to 4.5.90 now. The default AUTH_ENABLED=False makes the passthrough API network-accessible without authentication, meaning any attacker who can reach the server can weaponize this with a 10-line PoC. Enforce IMDSv2 on all EC2 instances running AI workloads as a mandatory defense-in-depth measure regardless of patching status.

What is the risk?

High, trending critical in cloud environments. CVSS 7.7 with network-accessible attack vector, low complexity, and no user interaction required. The real-world blast radius exceeds the base score: IAM credential exfiltration on EC2 with IMDSv1 enables full account-level lateral movement. Auth disabled by default amplifies exposure to any network-reachable attacker. Exploitation complexity is trivially low—the published PoC is 10 lines of Python requiring no AI/ML expertise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
PraisonAI pip <= 4.5.89 4.5.90
1 dependents 82% patched ~0d to patch Full package profile →

Do you use PraisonAI? You're affected.

How severe is it?

CVSS 3.1
7.7 / 10
EPSS
0.3%
chance of exploitation in 30 days
Higher than 26% of all CVEs
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

6 steps
  1. Patch immediately: upgrade praisonai to >=4.5.90.

  2. If patching is delayed: set AUTH_ENABLED=True and restrict network access to the praisonai API server via firewall/security group rules.

  3. Enforce IMDSv2 on all EC2 instances running AI workloads: aws ec2 modify-instance-metadata-options --instance-id <id> --http-tokens required --http-put-response-hop-limit 1.

  4. Audit IAM roles on praisonai hosts and enforce least-privilege—remove permissions not required for LLM inference.

  5. Detection: monitor outbound HTTP from praisonai processes to 169.254.169.254, 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12.

  6. Long-term: implement an api_base domain allowlist at the application or WAF layer.

What does CISA's SSVC say?

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.6.2 - AI risk management processes A.8.4 - Information security controls for AI systems
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk identification MANAGE-2.2 - Mechanisms to address AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34936?

Any praisonai deployment on cloud infrastructure with IMDSv1 enabled is at immediate risk of IAM credential theft—patch to 4.5.90 now. The default AUTH_ENABLED=False makes the passthrough API network-accessible without authentication, meaning any attacker who can reach the server can weaponize this with a 10-line PoC. Enforce IMDSv2 on all EC2 instances running AI workloads as a mandatory defense-in-depth measure regardless of patching status.

Is CVE-2026-34936 actively exploited?

No confirmed active exploitation of CVE-2026-34936 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34936?

1. Patch immediately: upgrade praisonai to >=4.5.90. 2. If patching is delayed: set AUTH_ENABLED=True and restrict network access to the praisonai API server via firewall/security group rules. 3. Enforce IMDSv2 on all EC2 instances running AI workloads: aws ec2 modify-instance-metadata-options --instance-id <id> --http-tokens required --http-put-response-hop-limit 1. 4. Audit IAM roles on praisonai hosts and enforce least-privilege—remove permissions not required for LLM inference. 5. Detection: monitor outbound HTTP from praisonai processes to 169.254.169.254, 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12. 6. Long-term: implement an api_base domain allowlist at the application or WAF layer.

What systems are affected by CVE-2026-34936?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API proxies, cloud-hosted AI pipelines, model serving.

What is the CVSS score for CVE-2026-34936?

CVE-2026-34936 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.34%.

What is the AI security impact?

Affected AI Architectures

agent frameworksLLM API proxiescloud-hosted AI pipelinesmodel serving

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means
AML.T0040 AI Model Inference API Access
AML.T0049 Exploit Public-Facing Application
AML.T0055 Unsecured Credentials
AML.T0075 Cloud Service Discovery

Compliance Controls Affected

EU AI Act: Art. 15, Art. 9
ISO 42001: A.6.2, A.8.4
NIST AI RMF: GOVERN-6.1, MANAGE-2.2
OWASP LLM Top 10: LLM06:2025

What are the technical details?

Original Advisory

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.

Exploitation Scenario

Attacker discovers a praisonai-powered AI assistant or API endpoint exposed on the network—auth disabled by default requires no credentials. They POST a crafted request to the passthrough endpoint with api_base='http://169.254.169.254/latest/meta-data/iam/security-credentials/' and custom_llm_provider='__nonexistent__'. The AttributeError fallback fires, praisonai makes an unauthenticated HTTP GET to the EC2 metadata service, and returns temporary IAM credentials in the API response. Within minutes, the attacker uses stolen credentials to enumerate S3 buckets containing training data and model artifacts, access other AWS services in scope for that IAM role, and potentially pivot to adjacent accounts via role chaining. Total attack time with the published PoC: under five minutes.

Weaknesses (CWE)

CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Timeline

Published
April 1, 2026
Last Modified
April 3, 2026
First Seen
April 2, 2026

Related Vulnerabilities