Unauthenticated Server-Side Request Forgery in PraisonAI
CVE-2026-60091
6.9MEDIUM
What is CVE-2026-60091?
The PraisonAI application prior to version 4.6.78 is vulnerable to an unauthenticated server-side request forgery (SSRF) through its Jobs API at the /api/v1/runs endpoint. This vulnerability arises due to inadequate validation of the webhook_url parameter, which, while initially checked at the request stage, is re-resolved during the connection phase. This flaw permits attackers to exploit the application via DNS rebinding techniques, potentially gaining access to internal services without authentication, leading to serious security implications.
Affected Version(s)
PraisonAI 0 < 4.6.78
PraisonAI 4.6.78
