PraisonAI Authentication Bypass Exploited Within Hours of Public Disclosure

TL;DR — CVE-2026-44338, an authentication bypass in PraisonAI's legacy Flask API server, was targeted by threat actors within 3 hours and 44 minutes of the advisory's publication on May 11, 2026. The flaw allows unauthenticated access to agent enumeration and workflow triggering endpoints. All versions from 2.5.6 through 4.6.33 are affected; version 4.6.34 patches the issue.

What happened

On May 11, 2026 at 13:56 UTC, PraisonAI maintainers published an advisory disclosing CVE-2026-44338, a missing authentication vulnerability in the framework's legacy Flask API server. The flaw stems from hard-coded defaults in src/praisonai/api_server.py that set AUTH_ENABLED = False and AUTH_TOKEN = None.

Within 3 hours and 44 minutes—at 17:40 UTC the same day—security researchers at Sysdig observed the first targeted exploitation attempt. A scanner identifying itself as CVE-Detector/1.0 originating from IP address 146.190.133.49 probed the vulnerable /agents endpoint on internet-exposed instances. The scanner conducted two passes spaced eight minutes apart, each sending approximately 70 requests in roughly 50 seconds. The first pass tested generic disclosure paths; the second specifically targeted AI-agent surfaces, including PraisonAI.

The successful exploit against the /agents endpoint returned HTTP 200 with a JSON body containing the agent file configuration and list of configured agents, confirming the authentication bypass worked. No POST requests to the /chat endpoint were observed during the scanning activity, suggesting the actor was conducting initial reconnaissance to confirm exploitability rather than executing workflows.

Security researcher Shmulik Cohen is credited with discovering and reporting the vulnerability to PraisonAI's maintainers.

Why it matters

The authentication bypass is unconditional on the shipped legacy API server. An unauthenticated attacker with network access can:

Enumerate the configured agents.yaml workflow file and its agents through the /agents endpoint
Trigger execution of locally configured agents through the /chat endpoint without providing a token
Consume model and API quotas tied to the operator's credentials
Receive execution results from PraisonAI.run() calls

The concrete impact depends on what permissions and integrations the operator's agents are configured to access. An agent with database write access, credential rotation capabilities, or external API integrations could enable lateral movement, data exfiltration, or infrastructure compromise. The rapid exploitation timeline—measured in single-digit hours from disclosure to active probing—demonstrates that operators deploying PraisonAI with the vulnerable default configuration face minimal response time before active threats materialize.

Affected systems and CVEs

PraisonAI versions 2.5.6 through 4.6.33 — CVE-2026-44338 (CVSS 7.3)

The flaw has been patched in version 4.6.34.

What to do

Upgrade PraisonAI to version 4.6.34 or later as soon as possible.
Audit existing deployments to identify instances running versions 2.5.6 through 4.6.33, particularly those exposed to untrusted networks.
Review model provider billing and usage logs for the period after May 11, 2026 to detect suspicious agent execution or API quota consumption.
Rotate any credentials or API keys referenced in agents.yaml, as they may have been enumerated during scanning activity.
Implement network access controls to restrict the /agents and /chat endpoints to trusted callers only, pending upgrade.

Open questions

Whether any POST requests to the /chat endpoint were sent by the threat actor to actually execute agents, or whether the activity remained at the reconnaissance phase.
The full scope of internet-exposed PraisonAI instances that were probed or successfully exploited.
The identity of the threat actor operating the CVE-Detector/1.0 scanner and whether this activity is part of a broader campaign.
Whether any successful exploitation beyond the initial /agents enumeration occurred before operators patched their systems.