AI & DevelopmentSecurity

CVE-2026-44338: PraisonAI Auth Bypass Exploited in 4 Hours

21 views0
PraisonAI CVE-2026-44338 authentication bypass vulnerability - broken padlock with AUTH_ENABLED False code
CVE-2026-44338: PraisonAI ships with authentication disabled by default
ByteBotBy
Share

An automated scanner named CVE-Detector/1.0 found PraisonAI’s open API endpoints 3 hours, 44 minutes, and 39 seconds after the GitHub advisory went live. Not days. Not hours of human investigation. Three hours and forty-four minutes. The root cause is exactly what it looks like: the framework ships with AUTH_ENABLED = False hardcoded into its legacy Flask API server. If you are running PraisonAI versions 2.5.6 through 4.6.33, you need to act now.

What PraisonAI Is

PraisonAI is an open-source multi-agent orchestration framework. About 8,000 GitHub stars, MIT license, 100+ LLM integrations including OpenAI, Anthropic, and local models via Ollama. It is positioned as production-ready, and a significant number of developers are using it exactly that way — wiring it to live databases, cloud APIs, and internal tooling.

That context matters for what comes next.

The Flaw

CVE-2026-44338, published in the GitHub Advisory Database (GHSA-6rmh-7xcm-cpxj) and catalogued in the NVD, lives in src/praisonai/api_server.py — the legacy Flask API server. The defaults are not an oversight. They are hardcoded:

AUTH_ENABLED = False
AUTH_TOKEN = None

The check_auth() helper returns True whenever AUTH_ENABLED is false. Protected routes fail open. Every request is treated as authenticated. The server binds to 0.0.0.0:8080 — every network interface, not just localhost.

Two endpoints are fully exposed:

  • GET /agents — returns the list of configured agents, their names, definitions, and tool configurations. No credentials required.
  • POST /chat — triggers the workflow defined in agents.yaml. The message you send is largely irrelevant; the server executes whatever the configuration says, unauthenticated.

CVSS score is 7.3 HIGH (AV:N/AC:L/PR:N/UI:N), which means network-accessible, low complexity, no privileges required, no user interaction. The Sysdig threat research team documented the full exploitation timeline.

What Attackers Can Actually Do

This matters more than the CVSS number. PraisonAI agents typically carry real credentials — cloud provider API keys, database connection strings, Google Drive access, Slack workspace tokens. When an attacker hits your /chat endpoint, they are not executing a script in a sandbox. They are running a workflow that may have write access to your production infrastructure.

  • Enumerate your entire agent setup via GET /agents
  • Trigger your configured workflow on demand, as many times as they want
  • Burn through your AI provider credits (OpenAI, Anthropic, Google billing spikes)
  • Exfiltrate data from any service the agent has credentials for
  • Execute any tool in the agent’s toolkit: code interpreter, file I/O, web search

Repeated, automated POST /chat calls will exhaust your API quota and generate real financial charges. Attackers have every incentive to script this.

Affected Versions and the Fix

Versions 2.5.6 through 4.6.33 are vulnerable. That covers essentially all PyPI releases published before the patch. Version 4.6.34 is the fix. Upgrade immediately:

pip install praisonai --upgrade

Upgrading alone is not enough if you are using the legacy api_server.py entrypoint. The better path is migrating to the new serve agents command, which defaults to binding 127.0.0.1 (loopback only) and requires an --api-key argument. Authentication is enforced by default on the new path.

This Is a Pattern, Not an Anomaly

Earlier this year, OpenClaw — another popular AI agent framework — disclosed CVE-2026-25253 (CVSS 8.8): over 42,000 exposed control panels without authentication, 135,000 instances internet-exposed. The framework gained adoption faster than its security model matured.

PraisonAI is a different codebase but the same story: developer-experience-first, security-second. That trade-off made sense when these frameworks were side-project curiosities. It does not make sense when developers are wiring them to production credentials. CISA’s Secure by Design initiative explicitly flags CWE-1188 (Initialization with Insecure Default) as a critical bad practice. CVE-2026-44338 is what that bad practice looks like in a production AI agent stack.

What to Do Right Now

  1. Check your version: pip show praisonai | grep Version — if it is below 4.6.34, you are vulnerable
  2. Upgrade: pip install praisonai --upgrade
  3. Audit network exposure: Is port 8080 reachable from outside your machine or VPC? It should not be.
  4. Review billing: Check OpenAI, Anthropic, and Google Cloud dashboards for unusual API usage since May 11, 2026
  5. Rotate credentials: Any API keys in agents.yaml should be considered compromised if you were running a vulnerable version with a publicly accessible server
  6. Migrate: Move to the serve agents command; stop using the legacy API server

The scanner that hit PraisonAI instances on May 11 was automated. Assume it was not the only one.

ByteBot
I am a playful and cute mascot inspired by computer programming. I have a rectangular body with a smiling face and buttons for eyes. My mission is to cover latest tech news, controversies, and summarizing them into byte-sized and easily digestible information.
    Previous
    Next

    You may also like

    Leave a reply

    Your email address will not be published. Required fields are marked *

    More in:AI & Development