Critical PraisonAI Vulnerability Exploited Within Hours of Disclosure
In a swift and alarming development, cyber attackers began exploiting a newly disclosed vulnerability in PraisonAI, an open-source multi-agent orchestration framework, less than four hours after its public announcement.
The vulnerability, designated as CVE-2026-44338 with a CVSS score of 7.3, arises from missing authentication mechanisms, leaving sensitive endpoints unprotected. This flaw enables unauthorized individuals to access the API server’s protected functionalities without requiring a token.
According to an advisory from PraisonAI’s maintainers, the framework includes a legacy Flask API server where authentication is disabled by default. Consequently, any user with network access can interact with the /agents endpoint and initiate workflows defined in the agents.yaml file via the /chat endpoint without authentication.
The core of the issue lies in the legacy Flask-based API server, specifically in the file src/praisonai/api_server.py, where the variables AUTH_ENABLED and AUTH_TOKEN are hard-coded as False and None, respectively. This configuration allows:
– Unauthenticated enumeration of the configured agent file through the /agents endpoint.
– Unauthenticated triggering of workflows specified in the agents.yaml file via the /chat endpoint.
– Repeated consumption of model or API quotas.
– Exposure of the results from PraisonAI.run() to unauthorized users.
The impact of this vulnerability varies based on the permissions and configurations within the agents.yaml file. However, the authentication bypass is a consistent issue in the default legacy server setup.
This security flaw affects all versions of the PraisonAI Python package from 2.5.6 through 4.6.33. The issue has been addressed in version 4.6.34. Security researcher Shmulik Cohen is credited with discovering and reporting the vulnerability.
Cloud security firm Sysdig reported observing exploitation attempts within hours of the vulnerability’s disclosure. Their findings indicate that within three hours and 44 minutes of the advisory’s publication, a scanner identifying itself as CVE-Detector/1.0 began probing vulnerable endpoints on internet-exposed instances. The advisory was released on May 11, 2026, at 13:56 UTC, and the first targeted request was recorded at 17:40 UTC the same day.
The malicious activity originated from the IP address 146.190.133[.]49 and followed a pattern typical of packaged scanners, conducting two passes spaced eight minutes apart. Each pass involved approximately 70 requests over about 50 seconds.
During the first pass, the scanner targeted generic disclosure paths such as /.env, /admin, /users/sign_in, /eval, /calculate, and /Gemfile.lock. The second pass focused specifically on AI-agent surfaces, including PraisonAI.
Sysdig noted that the probe matching CVE-2026-44338 was a single GET request to the /agents endpoint without an Authorization header, using the User-Agent CVE-Detector/1.0. This request returned a 200 OK response with a body indicating the agent file and agents, confirming the successful bypass of authentication.
Notably, the scanner did not send any POST requests to the /chat endpoint during either pass, suggesting that the activity was an initial check to verify the authentication bypass and determine if the host was exploitable via CVE-2026-44338.
The rapid exploitation of PraisonAI underscores a growing trend where threat actors quickly incorporate newly disclosed vulnerabilities into their attack strategies before patches can be widely applied.
Users are strongly advised to:
– Apply the latest patches immediately.
– Audit existing deployments for potential vulnerabilities.
– Review model provider billing statements for any unusual activity.
– Rotate credentials referenced in the agents.yaml file.
Sysdig emphasized that adversary tools have scaled to target the entire AI and agent ecosystem, regardless of size. They caution that any project shipping with unauthenticated defaults should assume that the window between disclosure and active exploitation is now measured in mere hours.
