CVE-2026-44338: PraisonAI Legacy Flask API Authentication Bypass — Scanner Probed Vulnerable /agents Endpoint 3 Hours 44 Minutes After GitHub Advisory
Date: 2026-05-19
Tags: malicious-tool, mcp-security
Executive Summary
GitHub published advisory GHSA-6rmh-7xcm-cpxj (CVE-2026-44338, CVSS 7.3) on May 11, 2026, disclosing an unauthenticated authentication bypass in PraisonAI's legacy Flask API server affecting versions 2.5.6 through 4.6.33; the fix is in 4.6.34. PraisonAI is a multi-agent orchestration framework with roughly 7,100 GitHub stars whose src/praisonai/api_server.py hard-codes AUTH_ENABLED = False and binds to 0.0.0.0:8080 when launched directly, so any reachable caller can hit GET /agents (enumerate configured agents) and POST /chat (invoke the locally configured agents.yaml workflow) without a token. Sysdig's runtime telemetry observed a probe identifying itself as User-Agent: CVE-Detector/1.0 hitting the vulnerable /agents route at 17:40 UTC the same day — three hours and forty-four minutes after the advisory went live at 13:56 UTC.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | CVE-2026-44338 PraisonAI Auth Bypass — opportunistic mass scanning |
| Actor / Attribution | Vulnerability disclosed by Shmulik Cohen; exploitation telemetry reported by Sysdig Threat Research Team; no named threat actor — opportunistic CVE-tracking scanners |
| Target | PraisonAI deployments running the legacy api_server.py Flask entrypoint on accessible interfaces (developer hosts, internal services, internet-exposed lab agents) |
| Vector | Unauthenticated HTTP GET /agents and POST /chat to TCP/8080 (default bind 0.0.0.0:8080) |
| Status | active — scanning observed; patch shipped in 4.6.34 |
| First Observed | 2026-05-11 (advisory publication and first observed probe) |
Detailed Findings
According to the GitHub Security Advisory GHSA-6rmh-7xcm-cpxj, PraisonAI's src/praisonai/api_server.py ships with two module-level constants: AUTH_ENABLED = False and AUTH_TOKEN = None. A check_auth() helper returns True unconditionally whenever AUTH_ENABLED is false, so the two "protected" routes fail open by design. GET /agents returns the configured agent metadata — including the agent_file name (typically agents.yaml) and the list of agents — and POST /chat accepts any JSON body containing a message key and executes PraisonAI(agent_file="agents.yaml").run(). The advisory assigns CWE-306 (Missing Authentication for Critical Function), CWE-668 (Exposure of Resource to Wrong Sphere), and CWE-1188 (Initialization with Insecure Default), and notes that when launched directly the server binds to 0.0.0.0:8080, making it reachable to anyone on the same network segment.
According to Sysdig's research blog "CVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation", security researcher Shmulik Cohen discovered and reported the bug. The advisory was published at 13:56 UTC on May 11, 2026; Sysdig's runtime telemetry recorded the first targeted probe at 17:40 UTC the same day, a single GET /agents request bearing no Authorization header and a User-Agent: CVE-Detector/1.0 string. The vulnerable server responded with HTTP 200 OK and a JSON body of the form {"agent_file":"agents.yaml","agents":[...]}, confirming the bypass was successful and that the scanner can recognise vulnerable hosts at zero cost.
The Hacker News (May 14, 2026) and CSO Online (May 14, 2026 — "PraisonAI vulnerability gets scanned within 4 hours of disclosure") report the same timeline and emphasise that the operational impact depends on what the deployer's agents.yaml workflow is allowed to do: at minimum, unauthenticated callers consume LLM API quota; in the worst case, where the workflow can browse the web, read files, run shell tools through MCP, or call cloud APIs, the bypass becomes a remote-execution-by-proxy via the LLM agent. This is the second PraisonAI advisory tracked in the LLM ThreatIntel feed this cycle: CVE-2026-40160 (PraisonAIAgents SSRF in web_crawl, April 13, 2026) covered a separate code path in the same project and underscores that the framework's default-open posture extends across multiple components.
The four-hour disclosure-to-scan window matches the broader pattern documented in CrowdStrike's 2026 Global Threat Report (eCrime breakout time of 29 minutes) and Sysdig's own observation that AI-framework CVEs are being added to mass-scan corpora almost as quickly as commodity web CMS CVEs. Operators should assume that any PraisonAI host reachable from an untrusted network was probed on May 11 and that successful probes have been indexed for follow-on use.
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Unauthenticated /agents and /chat Flask routes on TCP/8080 reachable from network |
| Active Scanning: Vulnerability Scanning | T1595.002 | Mass scanner identifying as CVE-Detector/1.0 probing the exact CVE-2026-44338 endpoint within hours of advisory |
| External Remote Services | T1133 | PraisonAI legacy API server bound to 0.0.0.0:8080 exposed as remote service |
| Abuse Elevation Control Mechanism | T1548 | Default AUTH_ENABLED = False and check_auth() returning True bypass intended authorisation |
| Command and Scripting Interpreter | T1059 | Downstream impact: agents.yaml workflow can invoke shell tools, MCP servers, or cloud APIs once attacker reaches /chat |
IOCs
Domains
No domain IOCs published by sourceFull URL Paths
No URL IOCs published by sourceSplunk Format
"CVE-Detector/1.0"Package Indicators
pypi:praisonai@>=2.5.6,<=4.6.33File Hashes
No hash IOCs published by sourceDetection Recommendations
Upgrade praisonai to 4.6.34 or later immediately. On hosts that cannot be patched right away, set AUTH_ENABLED = True and a strong AUTH_TOKEN in src/praisonai/api_server.py, or block external access to TCP/8080 at the host firewall; the legacy server's default 0.0.0.0:8080 bind makes loopback restriction the safer interim control. In web-proxy and load-balancer logs, alert on inbound GET /agents and POST /chat requests without an Authorization header, and on any request carrying User-Agent: CVE-Detector/1.0 to any host on any port — this scanner string is unique to the post-disclosure mass-scan corpus and should be a high-confidence indicator. In EDR / process telemetry, alert on the praisonai Python process binding to a non-loopback socket on port 8080, and on shell invocations spawned by a praisonai parent that originate during HTTP request handling — these correspond to /chat execution of agents.yaml. For deployments that intentionally expose PraisonAI as a service, front it with an authenticated reverse proxy (mTLS or OIDC) and restrict the agents.yaml workflow to non-destructive tool sets; the framework's default trust posture means a successful /chat post inherits all permissions the workflow has, including any configured MCP servers, file-system tools, or cloud SDK credentials.
References
- [GitHub Advisory Database] GHSA-6rmh-7xcm-cpxj — PraisonAI ships and generates a legacy API server with authentication disabled by default (CVE-2026-44338) — https://github.com/advisories/GHSA-6rmh-7xcm-cpxj
- [NVD] CVE-2026-44338 Detail — https://nvd.nist.gov/vuln/detail/CVE-2026-44338
- [Sysdig] CVE-2026-44338: PraisonAI authentication bypass in under 4 hours and the growing trend of rapid exploitation — https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
- [The Hacker News] PraisonAI CVE-2026-44338 Auth Bypass Targeted Within Hours of Disclosure (2026-05-14) — https://thehackernews.com/2026/05/praisonai-cve-2026-44338-auth-bypass.html
- [SecurityWeek] Hackers Targeted PraisonAI Vulnerability Hours After Disclosure — https://www.securityweek.com/hackers-targeted-praisonai-vulnerability-hours-after-disclosure/
- [CSO Online] PraisonAI vulnerability gets scanned within 4 hours of disclosure (2026-05-14) — https://www.csoonline.com/article/4171215/praisonai-vulnerability-gets-scanned-within-4-hours-of-disclosure.html