thehackernews.com web signal

PraisonAI auth flaw hit by scanners in 4 hours

cybersecurity agents cybersecurity ai-agents vulnerability

Key insights

  • CVE-2026-44338 exposes PraisonAI's /agents and /chat endpoints to unauthenticated callers on all versions 2.5.6 through 4.6.33.
  • Automated scanners identified and probed the vulnerable endpoint within four hours of the public advisory dropping on May 11.
  • The fix is a version upgrade to 4.6.34 or disabling the legacy api_server.py entrypoint on existing deployments.

Why this matters

Self-hosted AI agent frameworks are increasingly deployed on public or semi-public infrastructure, and a missing-authentication flaw at the API layer means attackers gain not just data access but the ability to execute configured workflows, which may include tool calls, external API integrations, and sensitive internal system access. The four-hour scanner response window compresses the viable patching runway to near-zero for teams without automated vulnerability monitoring tied directly to their deployment pipeline. For founders and technical leaders building on top of open-source agent frameworks, this is a concrete signal that the attack surface of AI orchestration layers is being actively mapped and monetized at the same speed as traditional web CVEs.

Summary

PraisonAI's legacy Flask API server shipped with a missing-authentication vulnerability that leaves every configured agent workflow open to anyone who can reach the server. CVE-2026-44338 (CVSS 7.3) allows unauthenticated callers to hit the /agents and /chat endpoints directly, meaning attackers can invoke, enumerate, and abuse whatever workflows a deployment has configured without needing a token or credential of any kind. The advisory published May 11 at 13:56 UTC. By 17:40 UTC the same day, a scanner self-identifying as CVE-Detector/1.0 was already probing the exact vulnerable endpoint, a roughly four-hour window from disclosure to automated exploitation targeting. Essentially: (PraisonAI, default internet-exposed installs) left agent execution fully public across 28 version increments. - All versions from 2.5.6 through 4.6.33 are affected; the fix is in 4.6.34. - The vulnerable entrypoint is the legacy api_server.py file, which can be disabled as a workaround without upgrading. - The flaw isn't credential theft; it's direct execution access to production agent pipelines. The four-hour scanner response time is now a baseline assumption for any CVE touching AI infrastructure, and teams running self-hosted agent frameworks on public IPs need patch-to-deploy cycles measured in hours, not days.

Potential risks and opportunities

Risks

  • Organizations running PraisonAI 2.5.6 through 4.6.33 with internet-facing deployments and no network-layer access controls may have had agent workflows invoked and logged by external scanners between May 11 and the time of patching.
  • Downstream SaaS products or internal tooling built on top of PraisonAI's legacy API server without version pinning could remain vulnerable indefinitely if operators treat the framework as a black-box dependency with no active CVE tracking.
  • The four-hour exploitation window sets a precedent that pressures every open-source AI agent framework maintainer to treat security advisories as simultaneous patch releases, and teams that don't meet that bar face reputational and customer-trust consequences within the same news cycle.

Opportunities

  • API security monitoring vendors (Traceable AI, Salt Security, Noname Security) can use this incident to accelerate pipeline conversations with enterprises running self-hosted agent frameworks that currently have no runtime visibility into unauthenticated endpoint access.
  • Cloud AI deployment platforms (Modal, Replicate, Beam) that enforce authentication at the infrastructure layer by default gain a concrete differentiation argument against self-hosted open-source deployments in post-incident vendor reviews.
  • Vulnerability intelligence services (Nucleus Security, Vulcan Cyber) that can demonstrate sub-four-hour CVE-to-alert pipelines specifically for AI framework CVEs have a clear upsell opportunity to the growing segment of teams running PraisonAI, CrewAI, and similar orchestration stacks in production.

What we don't know yet

  • Whether any confirmed exploitation of production PraisonAI deployments occurred between the 13:56 UTC disclosure and the scanner activity at 17:40 UTC on May 11.
  • Which specific operator categories (enterprise, hobbyist, cloud-hosted SaaS builders) represent the largest share of the estimated internet-exposed affected instances.
  • Whether CVE-Detector/1.0 is linked to a known threat actor group or represents a new automated CVE-weaponization service appearing after May 2026.

Originally reported by thehackernews.com

Read the original article →

Original headline: PraisonAI CVE-2026-44338 Auth Bypass Targeted by Automated Scanners Within 4 Hours of Disclosure — All Agent Workflows Exposed on Default Installs