A newly disclosed security flaw in PraisonAI is already being targeted by threat actors just hours after its public disclosure, highlighting the growing speed at which cybercriminals weaponize vulnerabilities in AI-related platforms.
The vulnerability, tracked as CVE-2026-44338, affects the legacy Flask-based API server included in PraisonAI. The flaw carries a CVSS severity score of 7.3 and allows attackers to access protected endpoints without authentication.
According to the advisory published by the project maintainers, the issue exists because authentication is disabled by default in the legacy API server. This configuration mistake enables any remote user with network access to interact with sensitive API endpoints without needing a valid security token.
PraisonAI is an open-source framework designed to orchestrate AI agents and workflows. The vulnerable component is located in the legacy Flask API server file:
src/praisonai/api_server.py
Researchers found that the application hard-coded the following insecure settings:
AUTH_ENABLED = FalseAUTH_TOKEN = None
As a result, attackers can directly access the /agents endpoint and trigger workflows through the /chat endpoint without authorization.
The flaw impacts all versions of the Python package from 2.5.6 through 4.6.33. The vulnerability has been fixed in version 4.6.34.
Security researcher Shmulik Cohen has been credited with discovering and responsibly reporting the issue.
Successful exploitation of CVE-2026-44338 can expose sensitive information and allow unauthorized actions within vulnerable deployments.
Potential impacts include:
- Unauthenticated access to configured agent files
- Exposure of the
agents.yamlworkflow configuration - Unauthorized triggering of AI workflows via the
/chatendpoint - Abuse of AI model or API quotas
- Access to workflow execution results generated by
PraisonAI.run() - Increased operational costs caused by repeated automated requests
Security experts warn that the actual damage depends on what capabilities are configured inside the victim’s agents.yaml file. In environments where AI agents can interact with internal systems, cloud services, or external APIs, attackers may gain access to sensitive operations without needing credentials.
Cloud security company Sysdig reported that attackers began probing internet-facing PraisonAI instances within hours of the public disclosure.
According to the report, the advisory became public on May 11, 2026, at 13:56 UTC. The first malicious scanning activity was detected at 17:40 UTC — just three hours and 44 minutes later.
Researchers observed scanning activity originating from the IP address 146.190.133[.]49. The activity used a scanner identifying itself as:
User-Agent: CVE-Detector/1.0
The automated scanner reportedly conducted two separate scanning passes approximately eight minutes apart. Each pass generated nearly 70 requests within less than a minute.
During the first wave, attackers searched for common exposed files and administrative paths, including:
/.env/admin/users/sign_in/eval/calculate/Gemfile.lock
The second pass focused specifically on AI-agent platforms and vulnerable PraisonAI endpoints.
Sysdig researchers confirmed that the scanner sent a direct request to the vulnerable endpoint:
GET /agents
Notably, the request did not contain any Authorization header, proving that authentication was not required.
The server responded with a successful 200 OK response and exposed agent configuration details, confirming that the vulnerability could be exploited remotely.
Researchers also noted that attackers did not attempt to send POST requests to the /chat endpoint during the observed activity. This suggests the campaign was likely an early reconnaissance effort designed to identify exploitable systems before launching larger attacks.
The rapid exploitation of PraisonAI reflects a growing cybersecurity trend where attackers increasingly target AI frameworks, agent-based systems, and automation platforms immediately after vulnerabilities become public.
Cybercriminals are now heavily monitoring newly published advisories and integrating fresh exploits into automated scanning tools within hours. Security teams no longer have days or weeks to patch critical systems.
The incident also demonstrates that even smaller open-source AI projects are now part of the modern attack surface. Threat actors are no longer focusing only on major enterprise vendors but are aggressively targeting any internet-exposed AI infrastructure with weak default security settings.
Organizations using PraisonAI should immediately upgrade to version 4.6.34 or later to eliminate the authentication bypass vulnerability.
Security experts also recommend taking the following actions:
- Audit all internet-exposed PraisonAI deployments
- Restrict public access to AI management interfaces
- Review API and model provider billing for suspicious spikes
- Rotate credentials stored in
agents.yaml - Disable unused legacy API components
- Monitor logs for unauthorized requests to
/agentsand/chat
Companies running AI agent frameworks should also implement stronger authentication controls, network segmentation, and continuous monitoring to reduce exposure to future attacks.
The exploitation of CVE-2026-44338 serves as another warning that AI infrastructure is rapidly becoming a prime target for cybercriminals. As organizations increasingly adopt AI agents and automation frameworks, attackers are actively searching for insecure default configurations and exposed APIs.
With exploitation attempts now occurring within hours of disclosure, cybersecurity teams must adopt faster patch management processes and continuous threat monitoring to defend against rapidly evolving attacks targeting AI ecosystems.
Interesting Article : Critical cPanel Flaw CVE-2026-41940 Exploited to Deploy Filemanager Backdoor