CVE-2026-61429: PraisonAI: SSRF bypass via DNS rebinding/redirects
HIGHPraisonAI's Crawl4AI/Chromium browsing backend can be tricked into fetching internal network resources even though it validates URLs before crawling: an attacker submits a URL that passes the initial SSRF check, then uses DNS rebinding or a crafted HTTP redirect so the headless browser actually connects to an internal service after validation has already passed. There is no EPSS score, CISA KEV entry, public exploit, or Nuclei template available yet, and downstream dependent counts for PraisonAI are unknown, so this isn't showing signs of mass exploitation today — but the CVSS 8.5 rating reflects a genuinely low-effort, no-user-interaction path to reading internal responses (including sensitive canary values), which is exactly the profile of confidentiality-only SSRF bugs that get weaponized quietly against cloud metadata endpoints and internal admin panels. Any deployment that lets a PraisonAI agent invoke its web-crawling/browsing tool on user- or model-supplied URLs should treat this as a live exposure, not a theoretical one, given attack complexity is low and only low privileges are required. Patch to PraisonAI 1.6.78 or later immediately; until then, restrict egress from the crawler's network segment (block RFC1918 ranges and 169.254.169.254) and re-validate the resolved IP at connection time on every redirect hop instead of trusting a single pre-fetch check. Watch crawler logs for requests resolving to internal IP ranges as a detection signal in the interim.
What is the risk?
High severity (CVSS 8.5, AV:N/AC:L/PR:L/UI:N) driven by a confidentiality-high impact — successful exploitation reads internal responses, including sensitive canary values, with no user interaction and low attacker privileges required. However, real-world urgency is currently tempered by the absence of EPSS scoring, CISA KEV listing, public exploit code, or a Nuclei template, and unknown downstream dependent counts limit blast-radius estimation. The exploit path itself (DNS rebinding + redirect-based validation bypass) requires moderate networking knowledge, not commodity script-kiddie tooling, but is well-documented and repeatable once understood. Organizations running PraisonAI with the Crawl4AI/Chromium browsing tool exposed to any untrusted input (user prompts, retrieved content, agent-to-agent handoffs) should treat this as immediately actionable given the low complexity and lack of required interaction, even though it is not yet an actively exploited-in-the-wild vulnerability.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| PraisonAI | pip | — | No patch |
Do you use PraisonAI? You're affected.
How severe is it?
What is the attack surface?
What should I do?
1 step-
1) Upgrade PraisonAI to version 1.6.78 or later, which fixes the SSRF validation bypass. 2) If immediate patching isn't possible, network-isolate the Crawl4AI/Chromium crawler process so it cannot reach RFC1918 private ranges, link-local addresses (169.254.169.254 and cloud metadata equivalents), or other internal-only hosts — enforce this at the network/firewall layer, not just in application code. 3) Re-validate the resolved IP address at actual connection time (and on every redirect hop the headless browser follows), rather than validating only the initial hostname/IP before the request is issued — this closes the DNS-rebinding TOCTOU gap. 4) Disable or cap automatic redirect-following in the crawling backend where feasible, or re-run SSRF checks against each redirect target. 5) For detection, monitor crawler/proxy logs for outbound requests resolving to internal or link-local IP ranges, and alert on any canary/honeytoken values appearing in crawler output. 6) Rotate any secrets or canary tokens that may have been exposed to internal services reachable by the crawler prior to patching.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2026-61429?
PraisonAI's Crawl4AI/Chromium browsing backend can be tricked into fetching internal network resources even though it validates URLs before crawling: an attacker submits a URL that passes the initial SSRF check, then uses DNS rebinding or a crafted HTTP redirect so the headless browser actually connects to an internal service after validation has already passed. There is no EPSS score, CISA KEV entry, public exploit, or Nuclei template available yet, and downstream dependent counts for PraisonAI are unknown, so this isn't showing signs of mass exploitation today — but the CVSS 8.5 rating reflects a genuinely low-effort, no-user-interaction path to reading internal responses (including sensitive canary values), which is exactly the profile of confidentiality-only SSRF bugs that get weaponized quietly against cloud metadata endpoints and internal admin panels. Any deployment that lets a PraisonAI agent invoke its web-crawling/browsing tool on user- or model-supplied URLs should treat this as a live exposure, not a theoretical one, given attack complexity is low and only low privileges are required. Patch to PraisonAI 1.6.78 or later immediately; until then, restrict egress from the crawler's network segment (block RFC1918 ranges and 169.254.169.254) and re-validate the resolved IP at connection time on every redirect hop instead of trusting a single pre-fetch check. Watch crawler logs for requests resolving to internal IP ranges as a detection signal in the interim.
Is CVE-2026-61429 actively exploited?
No confirmed active exploitation of CVE-2026-61429 has been reported, but organizations should still patch proactively.
How to fix CVE-2026-61429?
1) Upgrade PraisonAI to version 1.6.78 or later, which fixes the SSRF validation bypass. 2) If immediate patching isn't possible, network-isolate the Crawl4AI/Chromium crawler process so it cannot reach RFC1918 private ranges, link-local addresses (169.254.169.254 and cloud metadata equivalents), or other internal-only hosts — enforce this at the network/firewall layer, not just in application code. 3) Re-validate the resolved IP address at actual connection time (and on every redirect hop the headless browser follows), rather than validating only the initial hostname/IP before the request is issued — this closes the DNS-rebinding TOCTOU gap. 4) Disable or cap automatic redirect-following in the crawling backend where feasible, or re-run SSRF checks against each redirect target. 5) For detection, monitor crawler/proxy logs for outbound requests resolving to internal or link-local IP ranges, and alert on any canary/honeytoken values appearing in crawler output. 6) Rotate any secrets or canary tokens that may have been exposed to internal services reachable by the crawler prior to patching.
What systems are affected by CVE-2026-61429?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, web crawling/browsing tools, tool invocation pipelines.
What is the CVSS score for CVE-2026-61429?
CVE-2026-61429 has a CVSS v3.1 base score of 8.5 (HIGH).
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0086 Exfiltration via AI Agent Tool Invocation Compliance Controls Affected
What are the technical details?
Original Advisory
PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. Attackers can craft URLs that resolve to internal services after the initial validation check, enabling the headless browser to follow redirects and read internal responses including sensitive canary values.
Exploitation Scenario
An attacker with low-privilege access to a PraisonAI-based agent (e.g., as an end user submitting a research/browsing task, or via content the agent is instructed to retrieve) supplies a URL to a domain they control that initially resolves to a public IP, satisfying the agent's SSRF allowlist check. Once validation passes, the attacker either lets the domain's DNS record rebind (via a very short TTL) to an internal IP address, or has their server respond with an HTTP redirect pointing to an internal resource such as a cloud metadata endpoint or an internal admin panel. The Crawl4AI/Chromium backend, having already cleared the initial check, follows the rebound connection or redirect without re-validating it, fetches the internal resource, and returns its contents (including sensitive canary/token values proving internal reachability) back through the agent's tool output to the attacker — effectively turning the agent's browsing capability into an internal network reconnaissance and data-exfiltration proxy.
Weaknesses (CWE)
CWE-918 — Server-Side Request Forgery (SSRF): The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N References
Timeline
Related Vulnerabilities
CVE-2026-61447 10.0 PraisonAI: RCE via unsandboxed LLM code execution
Same package: praisonai CVE-2026-61445 9.9 PraisonAI: AICoder root RCE via unsanitized tool calls
Same package: praisonai CVE-2026-47392 9.9 praisonaiagents: RCE via Python sandbox bypass
Same package: praisonai GHSA-vmmj-pfw7-fjwp 9.9 praisonai: sandbox escape gives RCE via codeMode tool
Same package: praisonai GHSA-vc46-vw85-3wvm 9.8 PraisonAI: RCE via malicious workflow YAML execution
Same package: praisonai