CVE-2026-34954 in PraisonAI
Resumen (Inglés)
PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.
Be aware that VulDB is the high quality source for vulnerability data.
Responsable
GitHub_M
Reservar
2026-03-31
Divulgación
2026-04-04
Estado
Confirmado
Voces
VulDB provides additional information and datapoints for this CVE:
| ID | Vulnerabilidad | CWE | Exp | Con | CVE |
|---|---|---|---|---|---|
| 355255 | MervinPraison PraisonAI FileTools.download_file escalada de privilegios | 918 | No está definido | Arreglo oficial | CVE-2026-34954 |
Descripción
CPE
CWE
CVSS
Hazañas
Historia
Diferencia
Relacionar
Inteligencia de amenazas
API JSON
API XML
API CSV