Back to overview

CVE-2026-61429

HIGH
8.5
CVSS 3.1
Description
PraisonAI versions before 1.6.78 contain a server-side request forgery vulnerability in the Crawl4AI/Chromium backend that allows attackers to bypass SSRF validation by exploiting DNS rebinding and HTTP redirects. Attackers can craft URLs that resolve to internal services after the initial validation check, enabling the headless browser to follow redirects and read internal responses including sensitive canary values.

Metadata

CVE ID
CVE-2026-61429
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-07-09 14:05 UTC
Published
2026-07-11 13:01 UTC
Last updated
2026-07-11 13:01 UTC
Primary CWE
CWE-918
Server-Side Request Forgery (SSRF)
Vendor / Product
MervinPraison / PraisonAI
Sources
cve.org  ·  NVD

Severity & Metrics

8.5 HIGH CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
MervinPraison PraisonAI 0 < 1.6.78, 1.6.78
Weakness (CWE)
CWESourceDescription
CWE-918 cna Server-Side Request Forgery (SSRF)
CVSS scores (2)
ScoreSeverityVersionSourceVector
8.5 HIGH 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
8.4 HIGH 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
References (2)
Back to overview