A critical authentication bypass vulnerability in PraisonAI, the open-source multi-agent AI orchestration framework, was actively scanned by attackers less than four hours after public disclosure, underscoring the dangerously compressed exploitation timelines that now define the post-AI threat landscape.
Tracked as CVE-2026-44338 with a CVSS score of 7.3 (High), the flaw affects all PraisonAI versions from 2.5.6 through 4.6.33 and has been patched in version 4.6.34.
PraisonAI is a Python-based, open-source multi-agent orchestration framework designed to help organizations deploy autonomous AI agents capable of executing complex, multi-step automated tasks.
The project boasts roughly 7,100 GitHub stars and is widely used by developers and enterprises integrating LLM-powered workflows into production pipelines. Its popularity and the sensitive nature of the agent workflows it powers make this authentication bypass particularly dangerous.
PraisonAI Auth Vulnerability
The root cause of CVE-2026-44338 is disarmingly simple: PraisonAI ships a legacy Flask-based API server (src/praisonai/api_server.py) where authentication is hard-coded to be disabled.
Specifically, the server sets AUTH_ENABLED = False and AUTH_TOKEN = None at the source level, meaning the check_auth() helper function returns True regardless of whether the caller provides any credentials. Both protected routes GET /agents and POST /chat fail open by design.
The GET /agents endpoint, guarded by this no-op authentication check, returns sensitive metadata about the configured agent file. More critically, POST /chat accepts any JSON body containing a message key and immediately executes the agents.yaml workflow by calling PraisonAI(agent_file="agents.yaml").run() entirely ignoring the submitted message value.
When launched directly, the server binds to 0.0.0.0:8080, meaning it is exposed on all network interfaces by default. The insecure default extends beyond the runtime server.
The deploy subsystem’s APIConfig also defaults auth_enabled to False, and the generated sample deployment YAML explicitly recommends host: 0.0.0.0 paired with auth_enabled: false. This means even operators who spin up deployments from PraisonAI’s own scaffolding templates inherit the vulnerable configuration.
Proof of Concept (Observed Result): A basic unauthenticated GET request to
/agentsreturns200 {"agent_file":"agents.yaml","agents":["default"]}, and a POST to/chatreturns200 {"response":{"agent_file":"agents.yaml","ran":true},"status":"success"}no Authorization header required.
The speed at which attackers moved on this vulnerability is a stark warning signal. According to Sysdig’s Threat Research Team (TRT), a scanner identifying itself as CVE-Detector/1.0 probed exposed PraisonAI instances just 3 hours and 44 minutes after the GitHub advisory (GHSA-6rmh-7xcm-cpxj) went public on May 11, 2026.
The attacker’s methodology revealed a systematic, two-phase reconnaissance sweep. The first pass eight minutes before the second swept generic disclosure paths, including /.env, /admin, /users/sign_in, /eval, and /Gemfile.lock.
The second pass narrowed specifically to AI-agent attack surfaces. Both passes pushed roughly 70 requests in approximately 50 seconds, focused entirely on /agents without proceeding to /chat confirming the activity was oriented toward reconnaissance and target validation, not interactive exploitation.
“Enumerate the agent list, confirm the auth bypass works, log the host as exploitable, and move on. Follow-on tooling is typically separate,”
While CVE-2026-44338 is not a direct arbitrary remote code execution (RCE) vulnerability, its practical impact ceiling is defined entirely by what the operator’s agents.yaml is configured to do.
In production environments, agent workflows commonly make live calls to LLM providers such as OpenAI, Anthropic, and AWS Bedrock, and frequently grant access to powerful tools including code interpreters, shells, and file I/O operations.
At a minimum, successful exploitation allows:
- Unauthenticated enumeration of the configured agent file via
/agents - Unauthenticated triggering of the full
agents.yamlworkflow via/chat - Repeated consumption of the model and API quota results in financial and operational damage
- Exposure of workflow results, including potentially sensitive output, to any unauthenticated caller
Security researcher Shmulik Cohen is credited with discovering and responsibly reporting the vulnerability.
Security experts have called this incident a harbinger of a new normal in vulnerability-exploitation timelines. Black Duck AI research engineer Vineeta Sangaraju warned: “AI-assisted tooling is enabling attackers to move from an advisory publication to a working exploit in timeframes that simply did not exist before.
The timeframe that organizations have to patch and mitigate or even detect active probing has shrunk dramatically.” Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, added that the blast radius depends directly on operator permissions granted to agent workflows, and called out the broader industry risk.
“Any organization that accelerated AI agent adoption without auditing network binding, authentication defaults, and credential exposure in agent configuration files now faces risk it likely hasn’t quantified.”
Mitigation
Organizations running PraisonAI should treat this as a critical-priority patch. The following immediate steps are recommended:
- Upgrade immediately to PraisonAI version 4.6.34 or later
- Discontinue the legacy
api_server.pyentrypoint the newerserve agentscommand binds to127.0.0.1and supports--api-key, making it safer by default - Audit existing deployments to confirm no public-facing
0.0.0.0:8080exposure - Review model provider billing (OpenAI, Anthropic, Bedrock) for any suspicious or anomalous API consumption
- Rotate all credentials and tokens referenced inside
agents.yamlimmediately
| IOC Type | Value | Description |
|---|---|---|
| IP Address | 146.190.133.49 | First scanner contact generic recon (/, /.env, /admin) |
| User-Agent | CVE-Detector/1.0 | Automated scanner targeting CVE-2026-44338 endpoints |
| Endpoint | GET /agents | Unauthenticated agent enumeration probe |
| Endpoint | POST /chat | Unauthenticated workflow trigger |
| Request Pattern | ~70 reqs / 50 seconds | Two-pass sweep, 8 minutes apart |
FAQ
Q1: What is CVE-2026-44338 in PraisonAI?
CVE-2026-44338 is a high-severity (CVSS 7.3) authentication bypass in PraisonAI’s legacy Flask API server, where AUTH_ENABLED = False is hard-coded, allowing any unauthenticated caller to access /agents and trigger AI workflows via /chat.
Q2: Which versions of PraisonAI are affected?
All PraisonAI versions from 2.5.6 through 4.6.33 (pip package) are vulnerable; the issue is fully patched in version 4.6.34.
Q3: Was CVE-2026-44338 actively exploited in the wild?
Yes, Sysdig confirmed that automated scanners began probing exposed PraisonAI instances just 3 hours and 44 minutes after the advisory went public on May 11, 2026.
Q4: How can organizations protect themselves from this vulnerability?
Organizations should immediately upgrade to PraisonAI 4.6.34, stop using the legacy api_server.py entrypoint, restrict network access to the API server, and rotate any credentials stored in agents.yaml.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
