PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure Ravie Lakshmanan May 14, 2026 Vulnerability / API Security Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI , an open-source multi-agent orchestration framework, within four hours of its public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the API server's protected functionality without a token. " PraisonAI ships a legacy Flask API server with authentication disabled by default," according to an advisory released by the maintainers earlier this month. "When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token." Specifically, the legacy Flask-based API server, src/praisonai/api_server.py, hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None.
According to PraisonAI, successful exploitation of the flaw can have varied impacts, including - Unauthenticated enumeration of the configured agent file through /agents Unauthenticated triggering of the locally configured "agents.yaml" workflow through /chat Repeated consumption of the model/API quota, and Exposure of the results of PraisonAI.run() to the unauthenticated caller "The impact therefore, depends on what the operator's agents.yaml is allowed to do, but the authentication bypass is unconditional in the shipped legacy server," PraisonAI said.
The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33. It has been patched in version 4.6.34. Security researcher Shmulik Cohen has been credited with discovering and reporting the bug. In a report published by Sysdig this week, the cloud security company said it observed attempts to exploit the flaw within hours of it becoming public knowledge. "Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances," it said. "The advisory was published [on May 11, 2026,] at 13:56 UTC.
The first targeted request landed at 17:40 UTC the same day." The activity, per Sysdig, originated from the IP address 146.190.133[.]49 and followed a packaged-scanner profile that carried out two passes spaced eight minutes apart, with each pass pushing approximately 70 requests in roughly 50 seconds. While the first pass scanned generic disclosure paths (/.env, /admin, /users/sign_in, /eval, /calculate, /Gemfile.lock), the second pass specifically singled out AI-agent surfaces, including PraisonAI. "The probe that matched CVE-2026-44338 directly was a single GET /agents with no Authorization header and User-Agent CVE-Detector/1.0," Sysdig said. "That request returns 200 OK with body {"agent_file":"agents.yaml","agents":[...]}, confirming the bypass was successful." The scanner has not been found to send any POST request to the "/chat" endpoint during either pass, indicating the activity is consistent with an initial check to determine if the auth bypass works and confirm if the host is exploitable via CVE-2026-44338.
The rapid exploitation of the PraisonAI is the latest example of a broader trend where threat actors are increasingly adopting newly disclosed flaws into their arsenal before they can be patched. Users are advised to apply the latest fixes as soon as possible, audit existing deployments, review model provider billing for any suspicious activity, and rotate credentials referenced in "agents.yaml." "Adversary tooling has scaled to the entire AI and agent ecosystem – no matter the size, and not just the household names – and the operating assumption for any project that ships an unauthenticated default must be that the window between disclosure and active exploitation is measured in single-digit hours," Sysdig said.
Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share AI Agent , API Security , Authentication bypass , cybersecurity , PraisonAI , Sysdig , Threat Intelligence , Vulnerability ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.