CVE-2026-44338
published 2026-05-08CVE-2026-44338: PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by…
PriorityP183high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.80%
97.8th percentile
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mervinpraison | praisonai | — | — |
| mervinpraison | praisonai | >= 0 < 4.6.40 | 4.6.40 |
| mervinpraison | praisonai | >= 2.5.6 < 4.6.34 | 4.6.34 |
| praison | praisonai | >= 2.5.6 < 4.6.34 | 4.6.34 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
GET /agents — status 200, body contains 'agent_file' and 'agents', Content-Type: application/json, no Authorization header
- →Flag requests with User-Agent 'CVE-Detector/1.0' targeting PraisonAI endpoints; observed scanner sent ~70 requests in ~50 seconds in two passes spaced 8 minutes apart. ↗
- →First pass of the scanner probed generic disclosure paths before targeting AI-agent surfaces; watch for sequential requests to /.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock followed by /agents from the same source IP. ↗
- →Use Shodan query 'html:"PraisonAI"' to identify internet-exposed PraisonAI instances for proactive asset discovery and patching prioritization.
- →Review model provider billing for unexpected spikes — unauthenticated /chat access enables repeated consumption of model/API quota by attackers. ↗
- ·The vulnerable legacy Flask API server hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None, meaning authentication is unconditionally disabled regardless of operator configuration. ↗
- ·The authentication bypass is unconditional in the shipped legacy server; impact severity depends entirely on what the operator's agents.yaml workflow is permitted to do. ↗
- ·Rotate all credentials referenced in agents.yaml after any exposure, as the file's contents are returned to unauthenticated callers via the /agents endpoint. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa7.3HIGH
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
ghsa·2026-05-29·CVSS 7.3
CVE-2026-47393 [HIGH] CWE-1188 PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
PraisonAI `deploy --type api` emits a Flask server with authentication disabled by default
### Summary
CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai deploy --type api`) get a server that:
- binds to `0.0.0.0` per the recommended sample YAML
- exposes `/chat` and `/agents` endpoints
- runs `praisonai.run()` on user-supplied JSON input — LLM orchestration with the API key materials present in the process environment
- does not require any authentication
The PyPI wheel `praisonai==4.6.33` (current `@latest`) still ships the generator with `auth_enabled` defaulting to `False`. T
GHSA
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
ghsa·2026-05-11
CVE-2026-44338 [HIGH] CWE-1188 PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
PraisonAI ships and generates a legacy API server with authentication disabled by default, allowing unauthenticated workflow execution
### Summary
PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without providing a token.
### Details
The vulnerable server is the shipped `src/praisonai/api_server.py` entrypoint.
- `AUTH_ENABLED = False` and `AUTH_TOKEN = None` are hard-coded at [[src/praisonai/api_server.py](https://github.com/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:15)](/Users/shmulc/Stuff/tmp/first-cve/scans/variant-hunt/PraisonAI/src/praisonai/api_server.py:15).
VulnCheck
praison praisonai Missing Authentication for Critical Function
vulncheck·2026·CVSS 7.3
CVE-2026-44338 [HIGH] praison praisonai Missing Authentication for Critical Function
praison praisonai Missing Authentication for Critical Function
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
Affected: praison praisonai
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://webflow.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
No detection rules found.
Nuclei
PraisonAI - Authentication Bypass
nuclei·CVSS 7.3
CVE-2026-44338 [HIGH] PraisonAI - Authentication Bypass
PraisonAI - Authentication Bypass
PraisonAI 2.5.6 to < 4.6.34 contains a broken authentication caused by disabled default authentication in legacy Flask API server, letting remote attackers access /agents and trigger workflows without token, exploit requires network access to API server.
Template:
id: CVE-2026-44338
info:
name: PraisonAI - Authentication Bypass
author: jnoza
severity: high
description: |
PraisonAI 2.5.6 to < 4.6.34 contains a broken authentication caused by disabled default authentication in legacy Flask API server, letting remote attackers access /agents and trigger workflows without token, exploit requires network access to API server.
impact: |
Remote attackers can access and trigger agent workflows without authentication, potentially leading to unauthorized actions
Nuclei
PraisonAI AgentOS - Information Disclosure
nuclei·CVSS 5.3
CVE-2026-40151 [MEDIUM] PraisonAI AgentOS - Information Disclosure
PraisonAI AgentOS - Information Disclosure
PraisonAI's AgentOS FastAPI application server exposes an unauthenticated `GET /api/agents` endpoint that lists every registered agent's name, role and the opening of its instructions (system prompt). No authentication is enforced on the route, allowing a remote attacker to enumerate agent configurations and harvest sensitive details embedded in system prompts, such as internal API references, business logic and credential hints. This endpoint belongs to the AgentOS FastAPI server and is distinct from the legacy Flask `/agents` server tracked as CVE-2026-44338.
Template:
id: CVE-2026-40151
info:
name: PraisonAI AgentOS - Information Disclosure
author: aryu-ru
severity: medium
description: |
PraisonAI's AgentOS FastAPI application server expose
Hackernews
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
blogs_hackernews·2026-05-18·CVSS 6.1
CVE-2026-42897 [MEDIUM] ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Monday opens with a trust problem. A mail server flaw is under active use. A network control system was targeted. Trusted packages were poisoned. A fake model page pushed a stealer. Then came the familiar ransom claim: the data was returned and deleted.
The pattern is clear. One weak dependency can leak keys. One leaked key can open cloud access. One cloud foothold can become a production incident. AI is speeding up vulnerability discovery, attackers are moving quickly, and old exposure still keeps paying off.
Patch the quiet risks first. Let’s g
Hackernews
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
blogs_hackernews·2026-05-14·CVSS 7.3
CVE-2026-44338 [HIGH] PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of public disclosure.
The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server's protected functionality without a token.
" PraisonAI ships a legacy Flask API server with authentication disabled by default," according to an advis
2026-05-08
Published
Exploited in the wild