CVE-2026-40150: PraisonAIAgents has SSRF and Local File Read via Unvalidated URLs in web_crawl Tool

April 10, 2026

The web_crawl() function in praisonaiagents/tools/web_crawl_tools.py accepts arbitrary URLs from AI agents with zero validation. No scheme allowlisting, hostname/IP blocklisting, or private network checks are applied before fetching. This allows an attacker (or prompt injection in crawled content) to force the agent to fetch cloud metadata endpoints, internal services, or local files via file:// URLs.

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8f4v-xfm9-3244
github.com/advisories/GHSA-8f4v-xfm9-3244
nvd.nist.gov/vuln/detail/CVE-2026-40150

Code Behaviors & Features

Detect and mitigate CVE-2026-40150 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →