cbcvebase.
CVE-2026-44338
published 2026-05-08

CVE-2026-44338: PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by…

PriorityP183high7.3CVSS 3.1
AVNACLPRNUINSUCLILAL
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
26.80%
97.8th percentile
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.

Affected

4 ranges
VendorProductVersion rangeFixed in
mervinpraisonpraisonai
mervinpraisonpraisonai>= 0 < 4.6.404.6.40
mervinpraisonpraisonai>= 2.5.6 < 4.6.344.6.34
praisonpraisonai>= 2.5.6 < 4.6.344.6.34

Detection & IOCsextracted from sources · hover to see the quote

ip146.190.133[.]49
uaCVE-Detector/1.0
path/agents
path/chat
pathsrc/praisonai/api_server.py
filenameagents.yaml
sigma
GET /agents — status 200, body contains 'agent_file' and 'agents', Content-Type: application/json, no Authorization header
  • Flag requests with User-Agent 'CVE-Detector/1.0' targeting PraisonAI endpoints; observed scanner sent ~70 requests in ~50 seconds in two passes spaced 8 minutes apart.
  • First pass of the scanner probed generic disclosure paths before targeting AI-agent surfaces; watch for sequential requests to /.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock followed by /agents from the same source IP.
  • Use Shodan query 'html:"PraisonAI"' to identify internet-exposed PraisonAI instances for proactive asset discovery and patching prioritization.
  • Review model provider billing for unexpected spikes — unauthenticated /chat access enables repeated consumption of model/API quota by attackers.
  • ·The vulnerable legacy Flask API server hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None, meaning authentication is unconditionally disabled regardless of operator configuration.
  • ·The authentication bypass is unconditional in the shipped legacy server; impact severity depends entirely on what the operator's agents.yaml workflow is permitted to do.
  • ·Rotate all credentials referenced in agents.yaml after any exposure, as the file's contents are returned to unauthenticated callers via the /agents endpoint.

CVSS provenance

nvdv3.17.3HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
ghsa7.3HIGH
vulncheck7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.