AI Threat Alert

CVE-2026-34936: PraisonAI: SSRF via api_base steals cloud IAM credentials

GHSA-x6m9-gxvr-7jpv HIGH CISA: TRACK*
Published April 1, 2026
CISO Take

Any praisonai deployment on cloud infrastructure with IMDSv1 enabled is at immediate risk of IAM credential theft—patch to 4.5.90 now. The default AUTH_ENABLED=False makes the passthrough API network-accessible without authentication, meaning any attacker who can reach the server can weaponize this with a 10-line PoC. Enforce IMDSv2 on all EC2 instances running AI workloads as a mandatory defense-in-depth measure regardless of patching status.

What is the risk?

High, trending critical in cloud environments. CVSS 7.7 with network-accessible attack vector, low complexity, and no user interaction required. The real-world blast radius exceeds the base score: IAM credential exfiltration on EC2 with IMDSv1 enables full account-level lateral movement. Auth disabled by default amplifies exposure to any network-reachable attacker. Exploitation complexity is trivially low—the published PoC is 10 lines of Python requiring no AI/ML expertise.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
praisonai pip <= 4.5.89 4.5.90
1 dependents 84% patched ~0d to patch Full package profile →

Do you use praisonai? You're affected.

Severity & Risk

CVSS 3.1
7.7 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 3% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
CISA SSVC: Public PoC
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Changed
C High
I None
A None

What should I do?

6 steps

  1. Patch immediately: upgrade praisonai to >=4.5.90.

  2. If patching is delayed: set AUTH_ENABLED=True and restrict network access to the praisonai API server via firewall/security group rules.

  3. Enforce IMDSv2 on all EC2 instances running AI workloads: aws ec2 modify-instance-metadata-options --instance-id <id> --http-tokens required --http-put-response-hop-limit 1.

  4. Audit IAM roles on praisonai hosts and enforce least-privilege—remove permissions not required for LLM inference.

  5. Detection: monitor outbound HTTP from praisonai processes to 169.254.169.254, 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12.

  6. Long-term: implement an api_base domain allowlist at the application or WAF layer.

CISA SSVC Assessment

Decision Track*
Exploitation poc
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Supply Chain Framework API Agent AML.T0025 AML.T0040 AML.T0049 AML.T0055 AML.T0075

Compliance Impact

This CVE is relevant to:

EU AI Act
Art. 15 - Accuracy, robustness and cybersecurity Art. 9 - Risk management system
ISO 42001
A.6.2 - AI risk management processes A.8.4 - Information security controls for AI systems
NIST AI RMF
GOVERN-6.1 - Policies and procedures for AI risk identification MANAGE-2.2 - Mechanisms to address AI risks
OWASP LLM Top 10
LLM06:2025 - Excessive Agency

Frequently Asked Questions

What is CVE-2026-34936?

Any praisonai deployment on cloud infrastructure with IMDSv1 enabled is at immediate risk of IAM credential theft—patch to 4.5.90 now. The default AUTH_ENABLED=False makes the passthrough API network-accessible without authentication, meaning any attacker who can reach the server can weaponize this with a 10-line PoC. Enforce IMDSv2 on all EC2 instances running AI workloads as a mandatory defense-in-depth measure regardless of patching status.

Is CVE-2026-34936 actively exploited?

No confirmed active exploitation of CVE-2026-34936 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-34936?

1. Patch immediately: upgrade praisonai to >=4.5.90. 2. If patching is delayed: set AUTH_ENABLED=True and restrict network access to the praisonai API server via firewall/security group rules. 3. Enforce IMDSv2 on all EC2 instances running AI workloads: aws ec2 modify-instance-metadata-options --instance-id <id> --http-tokens required --http-put-response-hop-limit 1. 4. Audit IAM roles on praisonai hosts and enforce least-privilege—remove permissions not required for LLM inference. 5. Detection: monitor outbound HTTP from praisonai processes to 169.254.169.254, 192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0/12. 6. Long-term: implement an api_base domain allowlist at the application or WAF layer.

What systems are affected by CVE-2026-34936?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, LLM API proxies, cloud-hosted AI pipelines, model serving.

What is the CVSS score for CVE-2026-34936?

CVE-2026-34936 has a CVSS v3.1 base score of 7.7 (HIGH). The EPSS exploitation probability is 0.01%.

Technical Details

NVD Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.

Exploitation Scenario

Attacker discovers a praisonai-powered AI assistant or API endpoint exposed on the network—auth disabled by default requires no credentials. They POST a crafted request to the passthrough endpoint with api_base='http://169.254.169.254/latest/meta-data/iam/security-credentials/' and custom_llm_provider='__nonexistent__'. The AttributeError fallback fires, praisonai makes an unauthenticated HTTP GET to the EC2 metadata service, and returns temporary IAM credentials in the API response. Within minutes, the attacker uses stolen credentials to enumerate S3 buckets containing training data and model artifacts, access other AWS services in scope for that IAM role, and potentially pivot to adjacent accounts via role chaining. Total attack time with the published PoC: under five minutes.

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary CWE-918 Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
April 1, 2026
Last Modified
April 3, 2026
First Seen
April 2, 2026

Related Vulnerabilities

CRITICAL GHSA-vc46-vw85-3wvm 9.8

PraisonAI: RCE via malicious workflow YAML execution

Same package: praisonai
CRITICAL GHSA-9qhq-v63v-fv3j 9.8

PraisonAI: RCE via MCP command injection

Same package: praisonai
CRITICAL CVE-2026-39890 9.8

PraisonAI: YAML deserialization enables unauthenticated RCE

Same package: praisonai
CRITICAL GHSA-2763-cj5r-c79m 9.7

PraisonAI: RCE via shell injection in agent workflows

Same package: praisonai
CRITICAL CVE-2026-44336 9.6

PraisonAI: MCP path traversal escalates to full RCE

Same package: praisonai
Back to Threat Feed