PraisonAI CVE-2026-44338 Auth Bypass Exploited Within Hours of Disclosure
Threat actors began exploiting a critical authentication bypass vulnerability in the open-source PraisonAI framework less than four hours after its public advisory, highlighting the shrinking window for patching AI infrastructure.
A critical authentication bypass vulnerability in PraisonAI, an open-source multi-agent orchestration framework, is being actively exploited in active exploitation within hours of its public disclosure. The flaw, tracked as CVE-2026-44338 (CVSS 7.3), allows unauthenticated attackers to access sensitive API endpoints and trigger configured workflows, posing a significant risk to organizations using the framework in production environments.
The vulnerability resides in PraisonAI's legacy Flask-based API server, specifically in the file `src/praisonai/api_server.py`. The server hard-codes `AUTH_ENABLED = False` and `AUTH_TOKEN = None`, meaning authentication is disabled by default. This allows any caller that can reach the server to access the `/agents` endpoint to enumerate configured agent files and the `/chat` endpoint to trigger the locally configured `agents.yaml` workflow without providing any token. The impact varies depending on what the operator's `agents.yaml` is allowed to do, but the authentication bypass itself is unconditional.
According to the advisory released by PraisonAI maintainers on May 11, 2026, successful exploitation can lead to unauthenticated enumeration of the configured agent file, unauthenticated triggering of the `agents.yaml` workflow, repeated consumption of the model/API quota, and exposure of the results of `PraisonAI.run()` to the unauthenticated caller. The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33 and has been patched in version 4.6.34. Security researcher Shmulik Cohen is credited with discovering and reporting the bug.
In a report published by Sysdig this week, the cloud security company revealed that it observed exploitation attempts within hours of the advisory becoming public. "Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances," Sysdig said. The advisory was published at 13:56 UTC on May 11, and the first targeted request landed at 17:40 UTC the same day.
The activity originated from the IP address 146.190.133[.]49 and followed a packaged-scanner profile. The scanner carried out two passes spaced eight minutes apart, with each pass pushing approximately 70 requests in roughly 50 seconds. While the first pass scanned generic disclosure paths (`.env`, `/admin`, `/users/sign_in`, `/eval`, `/calculate`, `/Gemfile.lock`), the second pass specifically singled out AI-agent surfaces, including PraisonAI. The probe that matched CVE-2026-44338 directly was a single `GET /agents` with no `Authorization` header and `User-Agent CVE-Detector/1.0`. That request returned a 200 OK response with body `{"agent_file":"agents.yaml","agents":[...]}`, confirming the bypass was successful.
Sysdig noted that the scanner has not been found to send any POST request to the `/chat` endpoint during either pass, indicating the activity is consistent with an initial check to determine if the auth bypass works and confirm if the host is exploitable. The rapid exploitation of PraisonAI is the latest example of a broader trend where threat actors are increasingly adopting newly disclosed flaws into their arsenal before patches can be applied.
Users are strongly advised to apply the latest fixes as soon as possible, audit existing deployments, review model provider billing for any suspicious activity, and rotate credentials referenced in `agents.yaml`. As Sysdig warned, "Adversary tooling has scaled to the entire AI and agent ecosystem – no matter the size, and not just the household names – and the operating assumption for any project that ships an unauthenticated default must be that the window between disclosure and active exploitation is measured in single-digit hours."
This incident underscores the critical importance of securing AI infrastructure with the same rigor as traditional systems. The open-source nature of PraisonAI means that many deployments may be running unpatched versions, and the rapid exploitation timeline leaves little room for delay. Organizations using PraisonAI should treat this as an emergency and prioritize patching immediately.