PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a blind SSRF attack.
Metrics
Affected Vendors & Products
References
History
Fri, 10 Jul 2026 17:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Fri, 10 Jul 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Mervinpraison
Mervinpraison praisonai |
|
| Vendors & Products |
Mervinpraison
Mervinpraison praisonai |
Fri, 10 Jul 2026 14:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | PraisonAI before 4.6.78 contains an unauthenticated server-side request forgery vulnerability in the Jobs API /api/v1/runs endpoint. The webhook_url parameter is validated at request time but re-resolved at connection time, allowing attackers to use DNS rebinding to reach internal services with a blind SSRF attack. | |
| Title | PraisonAI before 4.6.78 Unauthenticated SSRF via webhook_url | |
| First Time appeared |
Praison
Praison praisonai |
|
| Weaknesses | CWE-918 | |
| CPEs | cpe:2.3:a:praison:praisonai:*:*:*:*:*:*:*:* | |
| Vendors & Products |
Praison
Praison praisonai |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: VulnCheck
Published:
Updated: 2026-07-10T17:00:48.794Z
Reserved: 2026-07-08T12:14:28.344Z
Link: CVE-2026-60091
Updated: 2026-07-10T16:39:44.849Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-10T16:45:03Z