al-ice.ai

PraisonAI — CVE-2026-44338 Auth Bypass Exploited in Under 4 Hours

AI CVEs by al-ice.ai Editorial

AI relevance: PraisonAI is a multi-agent orchestration framework (~7,100 GitHub stars) whose default API server exposes agent definitions and workflow execution endpoints to unauthenticated callers.

What happened

  • On May 11, 2026, GitHub published advisory GHSA-6rmh-7xcm-cpxj (CVE-2026-44338) for PraisonAI.
  • The legacy api_server.py entrypoint hard-codes AUTH_ENABLED = False and AUTH_TOKEN = None, causing the check_auth() helper to always return True.
  • GET /agents returns the full agent metadata, including agent file names and definitions.
  • POST /chat executes PraisonAI(agent_file="agents.yaml").run() — the submitted message body is ignored, but the configured workflow runs unconditionally.
  • Versions 2.5.6 through 4.6.33 are affected; fix landed in 4.6.34.

Advisory-to-exploitation in 3h 44m

  • Advisory published at 13:56 UTC. First targeted probe at 17:40 UTC — a 3 hour 44 minute gap.
  • The scanner (User-Agent CVE-Detector/1.0, from DigitalOcean IP 146.190.133.49) ran two 8-minute-apart passes, each ~70 requests in ~50 seconds.
  • First pass: generic recon (/.env, /admin, /users/sign_in). Second pass narrowed to AI-agent surfaces including /api/agents/config, /api/agents, /docs, /openapi.json, and MCP endpoints.
  • GET /agents returned 200 OK with {"agent_file":"agents.yaml","agents":[...]}, confirming the bypass.
  • No POST /chat observed — consistent with a validation-then-exploit workflow where follow-on tooling is delivered separately.

Why it matters

  • Part of an accelerating trend: Sysdig TRT has documented advisory-to-exploitation under 10 hours for Marimo, LMDeploy, and Langflow CVEs in recent months.
  • The AI-era "Zero Day Clock" means attackers use LLMs to reverse-engineer patches and generate functional exploits within minutes of disclosure.
  • PraisonAI's auth-disabled-by-default pattern is not uncommon in OSS agent frameworks — any internet-exposed instance was trivially fingerprintable and exploitable.

What to do

  • Upgrade PraisonAI to 4.6.34+ immediately.
  • Audit any agent orchestration framework (PraisonAI, CrewAI, AutoGen, LangGraph deployments) for unauthenticated API endpoints.
  • Do not expose AI agent API servers to the internet without a reverse proxy enforcing auth at the edge.
  • Monitor for CVE-Detector User-Agent and rapid endpoint enumeration patterns in your WAF/IDS logs.

Sources