PraisonAI Legacy API Authentication Bypass (CVE-2026-44338)
Severity Assessment
- Exploitability: 8/10 — The vulnerable legacy Flask API server accepted unauthenticated network requests to
/agentsand/chatwhen exposed. - Impact: 7/10 — Successful access could enumerate configured agents and trigger the local
agents.yamlworkflow, with impact depending on what the operator configured that workflow to do. - Weaponization Risk: 8/10 — Sysdig observed PraisonAI-specific probing within hours of the advisory timeline it tracked.
- Patch Urgency: 8/10 — PraisonAI 4.6.34 patched the affected legacy API server behavior.
- Detection Coverage: 6/10 — Endpoint access logs and perimeter telemetry can identify suspicious unauthenticated requests, but application logs may not distinguish missing authentication from legitimate unauthenticated behavior.
Summary
CVE-2026-44338 is a high-severity authentication bypass in PraisonAI’s legacy Flask API server. GitHub’s advisory states that PraisonAI versions 2.5.6 through 4.6.33 shipped or generated an API server configuration where authentication was disabled by default. When the legacy server was reachable, unauthenticated callers could access /agents and trigger the configured agents.yaml workflow through /chat.
The issue was patched in PraisonAI 4.6.34. NIST’s National Vulnerability Database describes the flaw as missing authentication affecting reachable legacy API deployments, with weaknesses including CWE-306, CWE-668, and CWE-1188.
Sysdig reported exploitation activity in the form of targeted probing against the vulnerable endpoint. Its research identified a scanner using the CVE-Detector/1.0 user agent and probing PraisonAI-specific paths, including /agents, shortly after the disclosure timeline Sysdig tracked. Public reporting supports scanner validation and probing, not confirmed interactive compromise of victim environments.
Exploit Chain
Stage 1: Internet Exposure
An operator runs the legacy PraisonAI API server or a generated API deployment that exposes the service to a reachable network interface. GitHub’s advisory states that the legacy server used authentication-disabled defaults, and the generated sample deployment path could also use host: 0.0.0.0 with authentication disabled.
Stage 2: Endpoint Discovery
An attacker or scanner probes for PraisonAI and adjacent AI-agent API paths. Sysdig observed requests for fingerprinting paths such as /docs, /openapi.json, /praisonai/version.txt, and PraisonAI-specific API paths.
Stage 3: Unauthenticated Agent Enumeration
The scanner requests /agents without an authorization header. In affected versions, the endpoint returns configured agent metadata because the authentication check fails open when authentication is disabled.
Stage 4: Workflow Triggering
An unauthenticated caller can submit a request to /chat. GitHub’s advisory says the handler checks for a JSON message key and then runs PraisonAI(agent_file="agents.yaml").run(). The impact depends on the configured workflow and any model-provider, file, shell, HTTP, or other tools made available to the agents.
Stage 5: Follow-On Impact
Follow-on activity could include model API quota consumption, exposure of workflow output, or side effects caused by the configured agent workflow. Available sources do not establish a named threat actor, mass compromise, or a specific victim set.
Detection Guidance
Network and access-log detection:
- Alert on unauthenticated
GET /agentsorPOST /chatrequests to PraisonAI legacy API deployments. - Search for
User-Agent: CVE-Detector/1.0, which Sysdig identified as an operationally useful indicator. - Review requests for PraisonAI fingerprint paths, including
/praisonai/version.txt,/pyproject.toml,/poetry.lock, and/requirements.txt. - Monitor for repeated requests to
/api/agents,/api/v1/agents,/api/tasks,/api/tools,/mcp/config, and adjacent AI-agent API paths.
Host and workflow detection:
- Review PraisonAI process logs for unexpected workflow executions or repeated
/chatrequests. - Audit model-provider billing and usage for abnormal activity after the disclosure window.
- Monitor agent workflow execution for unexpected subprocess creation, outbound network connections, file writes, or side-effect-producing tool calls.
Indicators of Compromise
Network indicators:
- Source IP observed by Sysdig:
146.190.133.49 - User agent observed by Sysdig:
CVE-Detector/1.0 - Targeted endpoint observed by Sysdig:
GET /agents - PraisonAI-related paths observed in scanning:
/api/agents/config,/api/agents,/api/v1/agents,/api/tasks,/api/tools,/praisonai/version.txt
Host indicators:
- Unexpected execution of the configured PraisonAI
agents.yamlworkflow - Model-provider usage spikes after unauthenticated
/chatrequests - Agent process activity inconsistent with expected workflow triggers
Attribution:
- Threat actor: Unknown
- Confidence basis: Public sources describe scanner behavior and do not identify an operator.
Disclosure Timeline
2026-05-03 — GitHub Advisory Published
GitHub published GHSA-6rmh-7xcm-cpxj for PraisonAI, describing the legacy API server authentication bypass and listing affected versions 2.5.6 through 4.6.33.
2026-05-08 — NVD Entry Published
NIST published the NVD entry for CVE-2026-44338, describing unauthenticated access to /agents and workflow triggering through /chat in affected PraisonAI versions.
2026-05-11 — Sysdig Observes Targeted Probing
Sysdig reported that scanner traffic pivoted from generic reconnaissance to PraisonAI-specific paths and reached the vulnerable /agents endpoint during the advisory timeline it tracked.
2026-05-12 — Sysdig Research Published
Sysdig published analysis describing the observed probing activity, practical indicators, and recommended defensive actions.
Sources & References
- Sysdig: CVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation — Sysdig, 2026-05-12
- GitHub Security Advisory: GHSA-6rmh-7xcm-cpxj — GitHub Security Advisory, 2026-05-03
- National Vulnerability Database: CVE-2026-44338 — National Vulnerability Database, 2026-05-08