Server-Side Request Forgery Vulnerability in PraisonAI Web Crawl Tool
CVE-2026-61430

8.4HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-61430?

PraisonAI before version 1.6.78 suffers from a server-side request forgery vulnerability in its web_crawl tool. The issue arises from a flaw in how hostnames are validated. Although hostnames are checked at the time of request, they are re-resolved at connection time without securing them with IP pinning. This allows attackers to leverage DNS rebinding techniques to circumvent SSRF protections, potentially retrieving internal HTTP response bodies from private or loopback services, posing significant risks to the security of internal systems.

Affected Version(s)

PraisonAI 0 < 1.6.78

PraisonAI 1.6.78

References

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

dinhvaren
.