Vulnerability Description
PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker. This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed). This vulnerability is fixed in 1.5.128.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Praison | Praisonaiagents | < 1.5.128 |
Related Weaknesses (CWE)
References
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qq9r-63f6-v5ExploitVendor Advisory
- https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qq9r-63f6-v5ExploitVendor Advisory
FAQ
What is CVE-2026-40160?
CVE-2026-40160 is a vulnerability with a CVSS score of 6.5 (MEDIUM). PraisonAIAgents is a multi-agent teams system. Prior to 1.5.128, web_crawl's httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host va...
How severe is CVE-2026-40160?
CVE-2026-40160 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-40160?
Check the references section above for vendor advisories and patch information. Affected products include: Praison Praisonaiagents.