cvedb.io
CVE-2026-34954
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2026-04-03T23:17:06.810 · Last modified 2026-06-17T10:39:52.643

Summary

PraisonAI is a multi-agent teams system. Prior to version 1.5.95, FileTools.download_file() in praisonaiagents validates the destination path but performs no validation on the url parameter, passing it directly to httpx.stream() with follow_redirects=True. An attacker who controls the URL can reach any host accessible from the server including cloud metadata services and internal network services. This issue has been patched in version 1.5.95.

Affected products

praison — praisonaiagents

Does this affect you?

Add your gear to cvedb and we'll alert you only when praison ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.