Full Report
Threat actors have been observed attempting to exploit a recently disclosed security vulnerability in PraisonAI, an open-source multi-agent orchestration framework, within four hours of public disclosure. The vulnerability in question is CVE-2026-44338 (CVSS score: 7.3), a case of missing authentication that exposes sensitive endpoints to anyone, potentially allowing an attacker to invoke the
Analysis Summary
# Vulnerability: PraisonAI Authentication Bypass via Missing Authentication
## CVE Details
- **CVE ID**: CVE-2026-44338
- **CVSS Score**: 7.3 (High)
- **CWE**: CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products**: PraisonAI (Open-source multi-agent orchestration framework)
- **Versions**: Python package versions 2.5.6 through 4.6.33
- **Configurations**: Deployments using the legacy Flask-based API server (`src/praisonai/api_server.py`) where authentication is disabled by default.
## Vulnerability Description
The vulnerability stems from a hard-coded configuration in the framework's legacy Flask API server. Specifically, the script explicitly sets `AUTH_ENABLED = False` and `AUTH_TOKEN = None`. This lack of authentication allows any remote caller with network access to the API server to interact with sensitive endpoints without providing a security token.
## Exploitation
- **Status**: **Exploited in the wild.** Targeted scanning activity was observed within 3 hours and 44 minutes of public disclosure.
- **Complexity**: Low
- **Attack Vector**: Network
- **PoC Availability**: Functional exploitation demonstrated by security scanners (e.g., `CVE-Detector/1.0`) targeting the `/agents` endpoint.
## Impact
- **Confidentiality**: High. Attackers can enumerate configured agent files and expose results of `PraisonAI.run()`.
- **Integrity**: Medium. Attackers can trigger the `agents.yaml` workflow through the `/chat` endpoint.
- **Availability**: Medium. Unauthorized users can repeatedly invoke the API, leading to the exhaustion of model/API quotas and potential denial of service.
## Remediation
### Patches
- Update the PraisonAI Python package to **version 4.6.34** or higher.
### Workarounds
- Disable the legacy Flask API server if it is not required for current operations.
- Implement network-level access controls (Firewalls/ACLs) to restrict access to the API server to trusted IP addresses only.
- Rotate any API keys or credentials referenced within the `agents.yaml` file if exposure is suspected.
## Detection
- **Indicators of Compromise (IoCs)**:
- IP Address: `146.190.133[.]49`
- User-Agent: `CVE-Detector/1.0`
- **Detection Methods**:
- Monitor web server logs for unauthorized `GET` requests to `/agents`.
- Monitor for unauthorized `POST` requests to `/chat` without valid authorization headers.
- Review model provider billing dashboards for unexpected spikes in API consumption.
## References
- **Vendor Advisory**: [https://github.com/advisories/GHSA-6rmh-7xcm-cpxj](https://github.com/advisories/GHSA-6rmh-7xcm-cpxj)
- **Technical Analysis**: [https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation](https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation)
- **NVD Listing**: [https://nvd.nist.gov/vuln/detail/CVE-2026-44338](https://nvd.nist.gov/vuln/detail/CVE-2026-44338)