Arbitrary URL Fetching Vulnerability in PraisonAI Agents by Mervin Praison
CVE-2026-40150

7.7HIGH

Key Information:

Vendor: Mervinpraison
Status: Praisonaiagents
Vendor: CVE Published:; 9 April 2026

🔔 Create Mervinpraison Vulnerability Alert

What is CVE-2026-40150?

The PraisonAI Agents system contains a vulnerability in the web_crawl() function where input from AI agents is accepted without any validation. This oversight allows malicious actors to exploit the system by making the agent fetch unauthorized data from cloud metadata endpoints, internal services, or even local files, potentially leading to data breaches. The issue has been addressed in version 1.5.128, which includes proper validation measures.

Affected Version(s)

PraisonAIAgents < 1.5.128

References

https://github.com/MervinPraison/PraisonAI/security/advis...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 9, 2026
Vulnerability Reserved
Apr 9, 2026

CVE-2026-40150 Data

JSON