PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure
https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
Publish Date: 2026-05-14 07:40:00
Source Domain: thehackernews.com
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of public disclosure.
The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server’s protected functionality without a token.
“PraisonAI ships a legacy Flask API server with authentication disabled by default,” according to an advisory released by the maintainers earlier this month. “When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token.”
Specifically, the legacy Flask-based API server, src/praisonai/api_server.py, hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None. According to PraisonAI, successful exploitation of the flaw can have varied impacts, including –
- Unauthenticated enumeration of the configured agent file through /agents
- Unauthenticated triggering of the locally configured “agents.yaml” workflow through /chat
- Repeated consumption of the model/API quota, and
- Exposure of the results of PraisonAI.run() to the unauthenticated caller
“The impact therefore, depends on what the operator’s agents.yaml is allowed to do, but the authentication bypass is unconditional in the shipped legacy server,” PraisonAI said.
The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33. It has been patched in version 4.6.34. Security researcher Shmulik Cohen has been credited with discovering and reporting the bug.
In a report published by Sysdig this week, the cloud security company said it observed attempts to exploit the flaw within hours of it becoming public knowledge.
“Within three hours and 44 minutes of the advisory becoming public, a scanner…
