Attackers Exploit PraisonAI Authentication Bypass Within Hours of Disclosure
Attackers began probing CVE-2026-44338, an authentication bypass in PraisonAI, less than four hours after public disclosure, highlighting the shrinking window for defenders to patch.
Attackers began probing a critical authentication bypass vulnerability in PraisonAI, tracked as CVE-2026-44338, less than four hours after its public disclosure, according to application protection firm Sysdig. The rapid exploitation underscores a troubling trend: the window for organizations to patch and mitigate vulnerabilities is shrinking dramatically, driven in part by AI-assisted tooling that accelerates the creation of working exploits.
PraisonAI is a multi-agent framework that enables organizations to deploy autonomous AI agents for executing complex tasks. The vulnerability exists in PraisonAI versions 2.5.6 through 4.6.33, which shipped with a legacy Flask API server that had authentication disabled by default. As a NIST advisory explains, "When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token." This means unauthenticated attackers can retrieve agent metadata and execute workflows simply by sending requests to the exposed endpoints.
Sysdig observed a scanner identifying itself as CVE-Detector/1.0 targeting internet-exposed instances of PraisonAI. The scanner made two passes eight minutes apart, each pushing approximately 70 requests in roughly 50 seconds. The first pass swept generic disclosure paths such as /.env and /admin, while the second pass narrowed to AI-agent surfaces. The activity only targeted the /agents endpoint and did not send requests to /chat, suggesting the attempt was focused on reconnaissance and validation rather than interactive exploitation.
While the vulnerability does not directly enable remote code execution, the impact depends on what the agents.yaml workflow is configured to do. In production environments, workflows often make calls to various LLM providers (such as Anthropic, Bedrock, and OpenAI), grant access to tools including code interpreters and shells, or return agent file names and lists. As Sysdig notes, "The bypass itself is not arbitrary code execution. But because it removes authentication from a workflow trigger that an operator deliberately exposed to do something useful, the impact ceiling is whatever that workflow is allowed to do."
The flaw has been fixed in PraisonAI version 4.6.34, and organizations are urged to update their deployments immediately. The rapid exploitation observed in this case is part of a broader trend. Black Duck AI research engineer Vineeta Sangaraju warned, "AI-assisted tooling is enabling attackers to move from an advisory publication to a working exploit in timeframes that simply did not exist before. Consequently, the timeframe that organizations have to patch and mitigate, or even detect active probing, has shrunk."
Sangaraju added, "The assumptions of traditional risk models about attacker sophistication and time to exploit no longer hold. Organizations need to build the capability to detect and respond within hours, not days, of a high-severity advisory affecting their stack. In the post-AI era, the mere definition of AppSec terms like vulnerability likelihood, script kiddies, etc., needs to be redefined."
This incident serves as a stark reminder that the era of leisurely patch cycles is over. As attackers increasingly leverage automation and AI to weaponize vulnerabilities within hours of disclosure, security teams must adopt faster detection, response, and patching workflows to stay ahead.