Threat actors have started targeting a newly disclosed vulnerability in PraisonAI, an open-source multi-agent orchestration framework, just hours after the flaw became public.
The security issue, tracked as CVE-2026-44338, carries a CVSS score of 7.3 and stems from missing authentication protections in PraisonAI’s legacy Flask-based API server. The vulnerability could allow unauthorized users to access sensitive endpoints and trigger protected functionality without requiring any authentication token.
Authentication Disabled by Default
According to an advisory released by the PraisonAI maintainers earlier this month, the framework ships with authentication disabled by default in its legacy API server.
The vulnerable component, located in:
src/praisonai/api_server.py
contains hard-coded settings:
AUTH_ENABLED = False
AUTH_TOKEN = None
As a result, any attacker capable of reaching the exposed server can access critical endpoints such as /agents and /chat without credentials.
Potential Impact of the Vulnerability
Successful exploitation of CVE-2026-44338 may allow attackers to:
- Enumerate configured agent files through the
/agentsendpoint - Trigger locally configured
agents.yamlworkflows via/chat - Consume AI model or API quotas repeatedly
- Access outputs generated by
PraisonAI.run() - Potentially abuse workflows depending on the permissions configured in
agents.yaml
PraisonAI noted that the overall impact largely depends on what actions the deployed agents are configured to perform.
Affected Versions and Patch Availability
The vulnerability affects all PraisonAI Python package versions from:
- 2.5.6 through 4.6.33
The issue has been fixed in:
- Version 4.6.34
Security researcher Shmulik Cohen has been credited with discovering and responsibly reporting the flaw.
Exploitation Attempts Detected Within Four Hours
Cloud security company Sysdig revealed that it observed active scanning attempts targeting the flaw less than four hours after the public advisory was released.
According to the report, the advisory became public on May 11, 2026, at 13:56 UTC, while the first exploitation attempt was recorded at 17:40 UTC the same day.
The activity originated from the IP address:
146.190.133.49
The scanner identified itself using the User-Agent string:
CVE-Detector/1.0
Attack Pattern Observed
Sysdig said the attacker performed two scanning waves approximately eight minutes apart, with each wave sending around 70 requests within 50 seconds.
The first wave targeted common disclosure endpoints such as:
/.env/admin/users/sign_in/eval/calculate/Gemfile.lock
The second wave specifically targeted AI-agent infrastructure, including PraisonAI systems.
One notable request involved:
GET /agents
without any Authorization header.
The server reportedly responded with:
{
"agent_file":"agents.yaml",
"agents":[...]
}
confirming that the authentication bypass worked successfully.
No Evidence of Full Exploitation Yet
While the scanner successfully confirmed vulnerable systems, Sysdig noted that it did not observe any POST requests to the /chat endpoint during the scans. This suggests the activity was likely focused on identifying exploitable targets rather than launching full attacks.
AI Infrastructure Becoming a Growing Target
The rapid targeting of PraisonAI highlights a growing cybersecurity trend where attackers quickly weaponize newly disclosed vulnerabilities before organizations can deploy patches.
Security experts are urging users to:
- Upgrade immediately to PraisonAI version 4.6.34
- Audit internet-exposed deployments
- Review API and model provider billing activity
- Rotate credentials stored in
agents.yaml - Restrict unnecessary public access to AI agent infrastructure
Sysdig warned that attackers are increasingly expanding their focus beyond major platforms and are now actively scanning the broader AI ecosystem for weaknesses.
According to the company, organizations should assume that any publicly disclosed vulnerability in AI tooling could face exploitation attempts within hours of disclosure.
