7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-44335

CVE-2026-44335: PraisonAI has an SSRF bypass

Summary

The URL checking logic in PraisonAI has a logical flaw that could be bypassed by attackers, leading to SSRF attacks.

Details

The current PraisonAI project uses _validate_url to validate the input URL. The main logic is to perform security checks on the host portion of the URL extracted by urlparse to prevent SSRF attacks.

However, there are indeed differences in parsing between urlparse and the library that actually sends the request. Currently, almost all application scenarios in this project involve first using _validate_url for URL validation, and then using _get_session().get to send the request.

In reality, its underlying mechanism is requests.get.

The core issue: urlparse() and requests disagree on which host a URL like http://127.0.0.1:6666\@1.1.1.1 points to:

urlparse() treats \ as a regular character and @ as the userinfo-host delimiter, so it extracts hostname as 1.1.1.1 (public)
requests treats \ as a path character, connecting to 127.0.0.1 (internal)

Below is a test code I wrote following the code.

import sys
from pathlib import Path
from pprint import pprint

sys.path.insert(0, str(Path(r"D:/BaiduNetdiskDownload/PraisonAI-main/PraisonAI-main/src/praisonai-agents")))

from praisonaiagents.tools import spider_tools

# url = "http://127.0.0.1:6666\@1.1.1.1"
url = "http://127.0.0.1:6666"

result = spider_tools.scrape_page(url)

if isinstance(result, dict) and "error" in result:
    print("scrape failed:", result["error"])
else:
    pprint(result)

When an attacker uses http://127.0.0.1:6666/, the existing detection logic can detect that this is an internal network address and block it.

However, when an attacker uses http://127.0.0.1:6666\@1.1.1.1, the detection logic resolves the host to 1.1.1.1, which is a public IP address, thus passing the verification. But in the actual request process, this URL is forwarded by requests.get to http://127.0.0.1:6666, bypassing the detection and achieving an SSRF attack.

PoC

http://127.0.0.1:6666\@1.1.1.1

Impact

SSRF

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-44335

CVE-2026-44335:

7.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
praisonaiagents	pip	<= 1.6.31	1.6.32

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists due to a discrepancy in how Python's urllib.parse.urlparse and the requests library handle URLs that contain backslashes in the authority part. The _validate_url function in praisonaiagents.tools.spider_tools.SpiderTools relied on urlparse to validate the host of a URL before an HTTP request was made elsewhere using requests. An attacker could exploit this by crafting a URL like http://127.0.0.1:6666\@1.1.1.1. The _validate_url function would see 1.1.1.1 as the host and approve the URL, but the subsequent requests.get call would target 127.0.0.1, resulting in a Server-Side Request Forgery (SSRF). The patch addresses this by explicitly checking for and rejecting URLs that contain backslashes or ASCII control characters before they are parsed, thus closing the bypass. The core of the vulnerability lies within the _validate_url function, which failed to properly sanitize the input URL.

Vulnerable functions

SpiderTools._validate_url

src/praisonai-agents/praisonaiagents/tools/spider_tools.py

The function `_validate_url` was vulnerable to a Server-Side Request Forgery (SSRF) attack. It used `urllib.parse.urlparse` to extract the hostname from a URL for validation. However, `urlparse` and the `requests` library (used to make the actual HTTP request) parse URLs containing special characters like backslashes differently. An attacker could provide a crafted URL such as `http://127.0.0.1:6666\@1.1.1.1`. `urlparse` would incorrectly identify `1.1.1.1` as the host, which would pass the security check. However, the `requests` library would correctly interpret the URL and send the request to the internal address `127.0.0.1`, thus bypassing the validation and leading to an SSRF vulnerability. The function was vulnerable because it did not sanitize or reject URLs containing these malicious characters before validation.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.