PraisonAI versions before 1.5.95 contain an SSRF vulnerability (CWE-918) in the FileTools.download_file() function within the praisonaiagents module. The function fails to validate the URL parameter, forwarding it directly to httpx.stream() with follow_redirects set to true. This flaw enables attackers to induce the server to send requests to arbitrary internal or external hosts accessible from the server environment. The vulnerability is rated with a CVSS 3.1 score of 8.6 (high severity), reflecting network attack vector, low attack complexity, no privileges required, no user interaction, scope change, and high confidentiality impact but no integrity or availability impact. The vulnerability was publicly disclosed on April 3, 2026, and has been patched in PraisonAI version 1.5.95.

An attacker who can control the URL parameter can exploit this SSRF vulnerability to make the vulnerable server send requests to any reachable host, including sensitive internal services and cloud metadata endpoints. This can lead to unauthorized information disclosure, particularly of confidential data accessible via internal network services. The vulnerability does not directly affect integrity or availability but poses a significant confidentiality risk.

This vulnerability has been patched in PraisonAI version 1.5.95. Users should upgrade to version 1.5.95 or later to remediate this issue. No other official remediation or temporary fixes are documented. Until the upgrade is applied, avoid passing untrusted input to the download_file() URL parameter or implement strict URL validation as a temporary measure. Patch status is not explicitly stated beyond the version fix; verify with the vendor for the latest advisory.