7 matches found
CVE-2026-4035 Environment Variable Resolution Vulnerability in mlflow/mlflow
A vulnerability in mlflow/mlflow versions prior to 3.11.0 allows for the resolution of environment variables in AI Gateway secrets, which can be exploited to exfiltrate sensitive server-side environment credentials to an attacker-controlled endpoint. This issue arises because the apikey field in...
CVE-2026-34936
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...
CVE-2026-34936 PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback
PraisonAI is a multi-agent teams system. Prior to version 4.5.90, passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL schem...
PraisonAI 安全漏洞
PraisonAI is a low-code multi-agent collaboration framework developed by Mervin Praison. Versions of PraisonAI prior to 4.5.90 contained security vulnerabilities. These vulnerabilities stemmed from the passthrough and apassthrough functions accepting an apibase parameter controlled by the caller...
Server-side Request Forgery (SSRF)
Overview PraisonAI is a PraisonAI is an AI Agents Framework with Self Reflection. PraisonAI application combines PraisonAI Agents, AutoGen, and CrewAI into a low-code solution for building and managing multi-agent LLM systems, focusing on simplicity, customisation, and efficient human-agent...
GHSA-X6M9-GXVR-7JPV PraisonAI: SSRF via Unvalidated api_base in passthrough() Fallback
Summary passthrough and apassthrough in praisonai accept a caller-controlled apibase parameter that is concatenated with endpoint and passed directly to httpx.Client.request when the litellm primary path raises AttributeError. No URL scheme validation, private IP filtering, or domain allowlist is...
GHSA-G26J-5385-HHW3 LiteLLM Server-Side Request Forgery (SSRF) vulnerability
A Server-Side Request Forgery SSRF vulnerability exists in berriai/litellm version 1.38.10. This vulnerability allows users to specify the apibase parameter when making requests to POST /chat/completions, causing the application to send the request to the domain specified by apibase. This request...