CVE-2026-40160: PraisonAIAgents: SSRF via unvalidated URL in `web_crawl` httpx fallback

April 10, 2026

web_crawl’s httpx fallback path passes user-supplied URLs directly to httpx.AsyncClient.get() with follow_redirects=True and no host validation. An LLM agent tricked into crawling an internal URL can reach cloud metadata endpoints (169.254.169.254), internal services, and localhost. The response content is returned to the agent and may appear in output visible to the attacker.

This fallback is the default crawl path on a fresh PraisonAI installation (no Tavily key, no Crawl4AI installed).

References

github.com/MervinPraison/PraisonAI
github.com/MervinPraison/PraisonAI/security/advisories/GHSA-qq9r-63f6-v542
github.com/advisories/GHSA-qq9r-63f6-v542
nvd.nist.gov/vuln/detail/CVE-2026-40160

Code Behaviors & Features

Detect and mitigate CVE-2026-40160 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →