PraisonAI CVE-2026-44338 rapid exploitation

Summary

Sysdig Threat Research reported that internet-exposed PraisonAI agent-framework deployments were scanned for CVE-2026-44338 within 3 hours and 44 minutes of the GitHub advisory being published on May 11, 2026. The vulnerable legacy api_server.py entrypoint shipped with authentication disabled by default, leaving GET /agents and POST /chat reachable without credentials in affected versions.

The durable intelligence value is the exploitation latency and target class: even a mid-sized AI-agent framework was folded into same-day known-CVE scanner workflows. The observed scanner did not trigger agent execution during Sysdig's capture, but it successfully validated exposed PraisonAI endpoints and provides a concrete signal for defenders watching internet-facing AI workflow systems.

Tags

• ops
• operations
• exploitation
• active exploitation
• rapid exploitation
• PraisonAI
• CVE-2026-44338
• GHSA-6rmh-7xcm-cpxj
• AI agents
• AI tooling
• agent frameworks
• authentication bypass
• cloud security
• model-provider abuse
• DigitalOcean

Why this matters

• PraisonAI is an open-source multi-agent orchestration framework; exposed agent runtimes may hold model-provider credentials, cloud credentials, internal data access, or side-effecting tools.
• Sysdig observed targeted probing less than four hours after public disclosure, reinforcing that advisory-to-exploitation windows for AI and automation tooling should be measured in hours, not days.
• The vulnerability is not a conventional one-shot RCE by itself. Impact depends on what the operator's agents.yaml workflow can do when /chat invokes the configured agent graph.
• GET /agents can disclose agent metadata and confirm the target is vulnerable. A later POST /chat can trigger model quota burn, tool execution, file or network actions, downstream workflow calls, or additional information disclosure.
• The observed activity looked like packaged validation rather than hands-on-keyboard exploitation, which means follow-on exploitation may come from separate tooling or operators after scanner results are collected.

Reported chain

1. GitHub published advisory GHSA-6rmh-7xcm-cpxj for PraisonAI CVE-2026-44338 at 13:56:16 UTC on May 11, 2026.
2. Sysdig first saw generic reconnaissance from 146.190.133.49 at 17:32:50 UTC, including common disclosure and application paths.
3. The same source pivoted to AI-agent and PraisonAI-specific paths at 17:40:53 UTC, including /praisonai/version.txt, /docs, /api/agents/config, /api/agents, and /agents.
4. A GET /agents request with User-Agent CVE-Detector/1.0 hit the documented vulnerable endpoint at 17:40:55 UTC and returned agent metadata without an Authorization header.
5. Sysdig observed a second GET /agents probe shortly afterward, but no POST /chat execution attempt in the captured activity.

Vulnerability notes

• Affected range: PraisonAI >= 2.5.6, <= 4.6.33.
• Fixed version: 4.6.34.
• Root issue: the legacy Flask API server hard-coded authentication off (AUTH_ENABLED = False, AUTH_TOKEN = None) and allowed protected routes to fail open.
• Exposed routes: GET /agents returns configured agent metadata; POST /chat runs PraisonAI(agent_file="agents.yaml").run() regardless of the submitted message value.

Defender heuristics

• Upgrade PraisonAI to 4.6.34 or later and migrate away from the legacy api_server.py entrypoint.
• Do not expose PraisonAI or similar agent-framework APIs directly to the internet; bind to loopback or private networks and require an API key or upstream authentication.
• Hunt for GET /agents or POST /chat requests without Authorization headers, especially when paired with User-Agent CVE-Detector/1.0.
• Review logs for fingerprinting paths such as /praisonai/version.txt, /pyproject.toml, /poetry.lock, /requirements.txt, /api/agents/config, /api/mcp/config, and OpenAPI/Swagger endpoints.
• Treat exposed agent frameworks as secret-spill candidates: audit model-provider bills and rotate credentials referenced by agents.yaml, environment files, tool configs, or connected cloud accounts.
• Add runtime detections for unexpected Python child processes, outbound network connections, file writes, and tool invocations from agent-server processes.

Related pages

• AI-augmented adversary operations
• Marimo CVE-2026-39987 LLM-agent post-exploitation
• Langflow CVE-2025-34291 exploitation

Sources

• Sysdig Threat Research: https://www.sysdig.com/blog/cve-2026-44338-praisonai-authentication-bypass-in-under-4-hours-and-the-growing-trend-of-rapid-exploitation
• GitHub advisory GHSA-6rmh-7xcm-cpxj / CVE-2026-44338: https://github.com/advisories/GHSA-6rmh-7xcm-cpxj