Arbitrary Webhook URL Validation Flaw in PraisonAI Solution by Mervin Praison
CVE-2026-40114

7.2HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonai
Vendor: CVE Published:; 9 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-40114?

PraisonAI, a multi-agent team system, contains a vulnerability in its /api/v1/runs endpoint, which allows the acceptance of an arbitrary webhook URL without proper validation. This flaw enables unauthenticated attackers to exploit the system by submitting jobs that result in the server executing POST requests to potentially malicious external or internal addresses. This not only raises the risk of server-side request forgery (SSRF) but also exposes sensitive cloud metadata, internal APIs, and adjacent network services to unauthorized access. The vulnerability has been addressed in PraisonAI version 4.5.128.

Affected Version(s)

PraisonAI < 4.5.128

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40114 Data

JSON