CVE-2026-61430

Severity CVSS v4.0:
HIGH
Type:
CWE-918 Server-Side Request Forgery (SSRF)
Publication date:
15/07/2026
Last modified:
15/07/2026

Description

PraisonAI before 1.6.78 contains a server-side request forgery vulnerability in the web_crawl tool that validates hostnames at check time but re-resolves them at connection time without IP pinning. Attackers can use DNS rebinding to bypass SSRF protection and retrieve internal HTTP response bodies from private or loopback services.