API Exposure Vulnerability in PraisonAI by Mervin Praison

CVE-2026-34936

What is CVE-2026-34936?

PraisonAI, a multi-agent teams system, prior to version 4.5.90, has a critical weakness in its handling of the 'api_base' parameter within the passthrough() and apassthrough() functions. This vulnerability allows an attacker to manipulate the API requests by passing unvalidated input, which is then concatenated with the endpoint before being sent via httpx.Client.request(). Due to the lack of URL scheme validation, private IP filtering, or domain allowlist, this flaw permits requests to any host accessible from the server. The vulnerability was rectified in version 4.5.90, and users are recommended to update their installations promptly.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch →

References