CVE-2026-44338
HIGH · 7.3 EPSS 0.1%Rapid post-disclosure exploitation confirmed; vendor patch released; no PoC code leaked yet.
What: PraisonAI multi-agent framework ships Flask API server with authentication disabled by default (versions 2.5.6–4.6.33), allowing unauthenticated access to /agents and /chat endpoints. CVSS 7.3 HIGH.
Why it matters: Social chatter reports active exploitation via automated scanners within 4 hours of disclosure (2026-05-08). Threat actors observed hijacking agents and draining API quotas. Patch (4.6.34) available. Not yet KEV-listed but rapid weaponization and vendor patching signal real triage pressure.
Where it's seen: Sysdig, HackerNews, security researchers posting exploit timelines and urging immediate patching. Multilingual coverage (English, Japanese) amplifies reach.
RISK: HIGH — Unauthenticated API access; active scanner-based exploitation; API quota theft observed.
Description
PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured agents.yaml workflow through /chat without providing a token. This issue has been patched in version 4.6.34.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- Low
- Integrity
- Low
- Availability
- Low