GHSA-5cxw-77wg-jrf3: PraisonAI CLI automatically resolves @url mentions in prompt text and can read loopback URLs into model context
mediumvulnerability
security
Summary
PraisonAI's CLI automatically expands @url mentions in prompts by making HTTP requests to any URL without restrictions, including localhost addresses. This allows an attacker to embed a malicious prompt with `@url:http://localhost:8766/` to make the user's machine fetch local-only HTTP resources (like metadata services or internal APIs) and inject the response into the model's context, creating a local SSRF (server-side request forgery, where a system is tricked into making requests to internal networks) vulnerability.
Vulnerability Details
EPSS (30-day exploit probability)
EPSS: 0.0%
Patch Available
Yes
Disclosure Date
May 29, 2026
Classification
Attack Type
RAG Poisoning
Attack SophisticationTrivial
Impact (CIA+S)
confidentialityintegrity
Taxonomy References
MITRE ATLAS (AI/ML Threat Technique)
Affected Vendors
Affected Packages
PraisonAI@<= 4.6.39 (fixed: 4.6.40)praisonaiagents@<= 1.6.39 (fixed: 1.6.40)
Related Issues
Monthly digest — independent AI security research
Original source: https://github.com/advisories/GHSA-5cxw-77wg-jrf3
First tracked: May 29, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 92%