CVE-2026-34936: PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback

April 1, 2026 (updated April 6, 2026)

passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server.

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-x6m9-gxvr-7jpv
github.com/advisories/GHSA-x6m9-gxvr-7jpv
nvd.nist.gov/vuln/detail/CVE-2026-34936

Code Behaviors & Features

Detect and mitigate CVE-2026-34936 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →