CVE-2026-61430 PUBLISHED

PraisonAI before 1.6.78 DNS Rebinding SSRF via web_crawl

Assigner: VulnCheck
Reserved: 09.07.2026 Published: 15.07.2026 Updated: 15.07.2026

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the web_crawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodies from private or loopback services.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:H/SI:L/SA:N
CVSS Score: 8.4

Product Status

Vendor MervinPraison
Product PraisonAI
Versions Default: unaffected
  • affected from 0 to 1.6.78 (excl.)
  • Version 1.6.78 is unaffected

Credits

  • dinhvaren reporter

References

Problem Types

  • Server-Side Request Forgery (SSRF) CWE