Server-Side Request Forgery Vulnerability in PraisonAI Web Crawl Tool
CVE-2026-61430
8.4HIGH
What is CVE-2026-61430?
PraisonAI before version 1.6.78 suffers from a server-side request forgery vulnerability in its web_crawl tool. The issue arises from a flaw in how hostnames are validated. Although hostnames are checked at the time of request, they are re-resolved at connection time without securing them with IP pinning. This allows attackers to leverage DNS rebinding techniques to circumvent SSRF protections, potentially retrieving internal HTTP response bodies from private or loopback services, posing significant risks to the security of internal systems.
Affected Version(s)
PraisonAI 0 < 1.6.78
PraisonAI 1.6.78
