VYPR
High severity7.3NVD Advisory· Published May 8, 2026· Updated May 8, 2026

CVE-2026-44338

CVE-2026-44338

Description

PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
PraisonAIPyPI
>= 2.5.6, < 4.6.344.6.34

Affected products

2

Patches

Vulnerability mechanics

References

3

News mentions

4