### Rapid Exploitation of PraisonAI Vulnerability Security researchers have observed threat actors actively exploiting **CVE-2026-44338**, a critical vulnerability in **PraisonAI**. This flaw allows unauthenticated access to sensitive endpoints, potentially enabling attackers to invoke the API server's protected functionalities without proper authorization. ### CVE-2026-44338: Authentication Bypass Details The vulnerability, tracked as **CVE-2026-44338** (CVSS score: 7.3), stems from a missing authentication check. According to an advisory, **PraisonAI** ships with a legacy Flask API server that has authentication disabled by default. This means that any caller able to reach the server can access `/agents` and trigger the configured `agents.yaml` workflow through `/chat` without needing a token. The legacy Flask-based API server (`src/praisonai/api_server.py`) hardcodes `AUTH_ENABLED = False` and `AUTH_TOKEN = None`. Successful exploitation can lead to: * Unauthenticated enumeration of the configured agent file through `/agents` * Unauthenticated triggering of the locally configured `agents.yaml` workflow through `/chat` * Repeated consumption of the model/API quota * Exposure of the results of `PraisonAI.run()` to the unauthenticated caller The impact varies depending on the operator's `agents.yaml` configuration, but the authentication bypass is unconditional in the shipped legacy server. ### Affected Versions and Mitigation The vulnerability affects all versions of the Python package from 2.5.6 through 4.6.33. A patch is available in version 4.6.34. Credit for discovering and reporting the vulnerability goes to security researcher Shmulik Cohen. ### Real-World Exploitation Observed **Sysdig** reported observing exploitation attempts within hours of the vulnerability's public disclosure. "Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances," **Sysdig** stated. "The advisory was published [on May 11, 2026,] at 13:56 UTC. The first targeted request landed at 17:40 UTC the same day." The activity originated from IP address 146.190.133[.]49 and followed a packaged-scanner profile, conducting two passes with approximately 70 requests each. ### Scanner Behavior and Implications The first pass scanned generic disclosure paths, while the second specifically targeted AI-agent surfaces, including **PraisonAI**. The probe matching **CVE-2026-44338** was a `GET /agents` request without an Authorization header, confirming the bypass was successful. The scanner did not send any `POST` requests to the `/chat` endpoint, suggesting an initial check to verify the auth bypass and confirm exploitability. ### Recommendations for Security Professionals The rapid exploitation of the **PraisonAI** flaw underscores the need for swift patching and proactive security measures. It is crucial to: * Apply the latest fixes as soon as possible. * Audit existing deployments for vulnerable versions. * Review model provider billing for suspicious activity. * Rotate credentials referenced in `agents.yaml`. **Sysdig** emphasizes that adversary tooling is scaling to the entire AI and agent ecosystem, regardless of size. The operating assumption should be that the window between disclosure and active exploitation is now measured in single-digit hours for any project with unauthenticated defaults.