Hackers Exploit PraisonAI Auth Bypass Hours After Disclosure
Sysdig detected CVE-2026-44338 exploitation attempts within 3 hours 44 minutes of public advisory — attackers probed /agents on exposed PraisonAI instances.
Executive Summary
Attackers began probing internet-exposed PraisonAI instances for a recently disclosed authentication bypass vulnerability within hours of its public advisory, according to application protection firm Sysdig. Tracked as CVE-2026-44338, the flaw affects PraisonAI versions 2.5.6 through 4.6.33 and stems from a legacy Flask API server that shipped with authentication disabled by default. Sysdig observed a scanner identifying itself as CVE-Detector/1.0 hitting the vulnerable /agents endpoint just 3 hours and 44 minutes after the advisory went public, marking another example of the shrinking window between disclosure and active exploitation.
Technical Analysis
PraisonAI is a multi-agent framework that enables organizations to deploy autonomous AI agents for complex task execution. The vulnerability exists because the framework's legacy Flask API server — included in versions 2.5.6 to 4.6.33 — has authentication disabled by default. A NIST advisory explains that any caller able to reach the server can access the /agents endpoint to retrieve configured agent metadata and trigger the agents.yaml workflow via the /chat endpoint without providing a token. The /chat endpoint accepts any JSON body with a message key and executes the workflow, ignoring the message value entirely.
Sysdig's telemetry captured the first exploitation attempt at 3 hours and 44 minutes after the advisory publication. The scanner, which identified itself as CVE-Detector/1.0, ran two passes eight minutes apart. Each pass pushed approximately 70 requests in roughly 50 seconds. The first pass swept generic disclosure paths such as /.env, /admin, /users/sign_in, /eval, /calculate, and /Gemfile.lock. The second pass narrowed to AI-agent surfaces, specifically targeting /agents.
Notably, the scanner did not send requests to the /chat endpoint, indicating the activity was reconnaissance and validation rather than interactive exploitation. Sysdig assesses the pattern as: "Enumerate the agent list, confirm the auth bypass works, log the host as exploitable, and move on. Follow-on tooling is typically separate."
Achieving remote code execution (RCE) through this vulnerability is not straightforward, Sysdig notes. An unauthenticated attacker can only trigger whatever workflow agents.yaml is configured for. In production environments, these workflows typically make calls to LLM providers (Anthropic, Bedrock, OpenAI), grant access to tools including code interpreters, shells, and file I/O, or return agent file names and lists. As Sysdig puts it: "The bypass itself is not arbitrary code execution. But because it removes authentication from a workflow trigger that an operator deliberately exposed to do something useful, the impact ceiling is whatever that workflow is allowed to do."
Mitigations & Recommendations
Organizations should update PraisonAI deployments to version 4.6.34, which resolves the vulnerability. Given the observed rapid scanning activity, defenders should also audit any internet-exposed instances of PraisonAI immediately — particularly checking whether the legacy Flask API server is enabled and whether /agents or /chat endpoints are reachable without authentication. Network-level access controls (firewall rules, VPN requirements) should be applied to restrict access to these endpoints to trusted IP ranges only. Sysdig's findings underscore that the window for patching after a high-severity advisory has shrunk to hours, not days.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
