Unauthenticated SSRF in PraisonAI Jobs API via webhook_url
TL;DR — PraisonAI’s unauthenticated Jobs API can be abused for SSRF by supplying an attacker-controlled webhook_url, causing the server to POST job results to internal or external destinations.
What happened
PraisonAI includes a FastAPI-based Jobs API that accepts run submissions at /api/v1/runs and can send completion callbacks to a user-provided webhook.
CVE-2026-40114 (GitHub advisory GHSA-8frj-8q3m-xhgm) describes a Server-Side Request Forgery (SSRF) issue where /api/v1/runs accepts an arbitrary webhook_url with no URL validation, then uses httpx.AsyncClient to POST to that URL when a job completes (success or failure). The advisory also states the Jobs API server is mounted with no authentication middleware by default, meaning a network-reachable attacker can trigger this without credentials.
| Item | Source value |
|---|---|
| Affected software | PraisonAI (PyPI) |
| Vulnerability class | SSRF (CWE-918) |
| Attack surface | /api/v1/runs request-body webhook_url used for outbound callbacks |
| Severity | CVSS v3.1 7.2 (High) (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N) |
| Affected versions | All versions prior to 4.5.128 (advisory range: introduced 0, fixed 4.5.128) |
| Impact highlights (advisory) | SSRF to internal services; cloud metadata access targets like 169.254.169.254; internal reconnaissance; data exfiltration via webhook payload |
SSRF remains a high-leverage primitive in modern deployments because it turns “internal-only” network trust (metadata endpoints, private control planes, service meshes) into an externally triggerable capability — especially dangerous when paired with unauthenticated APIs.
Who is impacted
- Deployments running
PraisonAIversions in the advisory’s affected range (versions before4.5.128). - Any environment where the Jobs API server is network-reachable and accepts untrusted traffic (internet-exposed, shared internal networks, or partner-accessible services).
- Cloud-hosted deployments where access to metadata services or internal APIs from the application network could amplify impact.
What to do now
- Follow vendor remediation guidance and apply a release that includes the fix (the advisory lists
4.5.128as the fixed version). - Inventory where the Jobs API server is deployed and confirm the running version(s) (virtualenvs, containers, and baked artifacts).
- Until patched, reduce exposure by limiting who can reach the Jobs API endpoint
/api/v1/runsand constraining outbound egress from the service (particularly to internal address space and metadata endpoints). - Review telemetry for suspicious job submissions specifying unusual
webhook_urldestinations (internal IPs, link-local ranges, or attacker-controlled domains), and treat webhook-delivered job results as potential data-exfil paths.
"Add URL validation to restrict webhook URLs to safe destinations."
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.