Back to CVE List

CVE-2026-34936

HIGH SEVERITY

CVSS Score & Metrics

Base Score
7.7 / 10
Vector String
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

Vulnerability Description

PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough() and apassthrough() in praisonai accept a caller-controlled api_base parameter that is concatenated with endpoint and passed directly to httpx.Client.request() when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is applied, allowing requests to any host reachable from the server. This issue has been patched in version 4.5.90.

Vulnerability Details

Published Date
Last Modified
CWE ID
CWE-918
Source
GitHub
Vendor
pip
Product
praisonai

External References

Discussion (0)

Add Comment

No comments yet. Be the first!