Skip to main content
Emerging ThreatsMalware & Ransomware

Threat Actors Exploit PraisonAI Auth Bypass Within Hours of Disclosure

Networked computer system with API server setup and blurred laptop screen.

"PraisonAI ships a legacy Flask API server with authentication disabled by default," the project's maintainers warned — and within four hours, attackers were already knocking on the exposed door.

PraisonAI's legacy Flask API: how the bypass works

The flaw lives in a shipped, legacy component: src/praisonai/api_server.py hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None. In that configuration, any caller that can reach the server can access the /agents endpoint and trigger the agents.yaml workflow via /chat without providing a token. The maintainers summarized the problem plainly: "When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token."

CVE-2026-44338: technical specifics and impact

The issue is tracked as CVE-2026-44338 and carries a CVSS score of 7.3. PraisonAI described the consequences as conditional on the operator's agent definitions but concrete in scope: unauthenticated enumeration of the configured agent file through /agents; unauthenticated triggering of the locally configured agents.yaml workflow via /chat; repeated consumption of the model/API quota; and exposure of the results of PraisonAI.run() to the unauthenticated caller. The vulnerability affects all Python package versions from 2.5.6 through 4.6.33 and was patched in version 4.6.34. Security researcher Shmulik Cohen is credited with finding and reporting the bug.

Sysdig observed probes within three hours and 44 minutes

Cloud security company Sysdig reported that probes began almost immediately after public disclosure. "Within three hours and 44 minutes of the advisory becoming public, a scanner identifying itself as CVE-Detector/1.0 was probing the exact vulnerable endpoint on internet-exposed instances," Sysdig said. The advisory was published on May 11, 2026, at 13:56 UTC; the first targeted request arrived at 17:40 UTC the same day.

The activity originated from IP address 146.190.133[.]49 and followed a packaged-scanner profile that carried out two passes spaced eight minutes apart. Each pass pushed roughly 70 requests in about 50 seconds. The first pass targeted generic disclosure paths such as /.env, /admin, /users/sign_in, /eval, /calculate, and /Gemfile.lock; the second pass homed in on AI-agent surfaces, including PraisonAI.

Sysdig noted the exact request that confirmed the bypass: a single GET /agents with no Authorization header and User-Agent CVE-Detector/1.0. "That request returns 200 OK with body {{\"agent_file\":\"agents.yaml\",\"agents\":[...] }}, confirming the bypass was successful," Sysdig reported. The scanner did not send POST requests to /chat during either pass, consistent with an initial reconnaissance step to confirm exploitability rather than execution of workflows.

Patch and mitigation: versions, credit, and recommended fixes

PraisonAI released a patch in version 4.6.34 to address the hard-coded disabled authentication. The affected range includes all package releases from 2.5.6 through 4.6.33. The public advisory names Shmulik Cohen as the researcher who discovered and reported the problem.

Responding to the observed exploitation timeline, the community guidance in the advisory and related coverage is direct: apply the patched release immediately, audit existing deployments for internet-exposed instances of the legacy Flask server, review model-provider billing for unexpected consumption, and rotate any credentials referenced in agents.yaml. Those are the concrete steps specified by PraisonAI and echoed in the reporting of the exploitation activity.

What this means for technologists, procurement leaders, and adversaries

  • Technologists and security teams: Treat any deployment that uses the legacy Flask server as high priority for patching and discovery. The probes observed used a lightweight scanner profile and a simple GET to confirm the flaw; detection and containment must assume fast, automated checks will arrive within hours of disclosure.
  • Procurement and ops leaders: Inventory any use of PraisonAI across projects and third-party integrations. The impact "depends on what the operator's agents.yaml is allowed to do," meaning billing, data leakage, or unintended actions are tied to local configuration and thus to procurement and configuration choices.
  • Adversaries and automated tooling authors: The behavior recorded by Sysdig illustrates an established pattern—initial, low-cost reconnaissance requests to verify unauthenticated endpoints, followed by potential exploitation once a target is confirmed. The public record shows attackers will incorporate new high-value targets rapidly.

Sysdig summed the operational lesson plainly: "Adversary tooling has scaled to the entire AI and agent ecosystem -- no matter the size, and not just the household names – and the operating assumption for any project that ships an unauthenticated default must be that the window between disclosure and active exploitation is measured in single-digit hours." For operators of PraisonAI, that is not an abstract admonition but a timetable already demonstrated in the field.

Original story